{ "Description": "(SO0111R) Automated Security Response on AWS Remediation Roles, v2.2.1", "AWSTemplateFormatVersion": "2010-09-09", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "reason": "Resource and action wildcards are needed to remediate findings on arbitrary resources", "id": "AwsSolutions-IAM5" } ] } }, "Parameters": { "SecHubAdminAccount": { "Type": "String", "AllowedPattern": "^\\d{12}$", "Description": "Admin account number" }, "Namespace": { "Type": "String", "AllowedPattern": "(?!(^xn--|^sthree-|^sthree-configurator|^amzn-s3-demo-|.+-s3alias|.+--ol-s3|.+.mrap|.+--x-s3$))^[a-z0-9][a-z0-9-]{1,7}[a-z0-9]$", "ConstraintDescription": "The Namespace parameter must follow naming restrictions for S3 buckets and have a minimum length of 3 and a maximum length of 9. https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html", "Description": "Choose a unique namespace to be added as a suffix to remediation IAM role names. The same namespace should be used in the Member Roles and Member stacks. This string should be unique for each solution deployment.", "MaxLength": 9, "MinLength": 3 } }, "Resources": { "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "SecHubAdminAccount" }, ":role/SO0111-SHARR-Orchestrator-Admin" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } } ], "Version": "2012-10-17" }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "iam:PassRole", "iam:GetRole" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-*" ] ] } }, { "Action": "ssm:StartAutomationExecution", "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/ASR-*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": [ "ssm:DescribeAutomationExecutions", "ssm:GetAutomationExecution" ], "Effect": "Allow", "Resource": "*" }, { "Action": "ssm:DescribeDocument", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:*:document/*" ] ] } }, { "Action": [ "ssm:GetParameters", "ssm:GetParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:*:parameter/Solutions/SO0111/*" ] ] } }, { "Action": "config:DescribeConfigRules", "Effect": "Allow", "Resource": "*" }, { "Action": [ "cloudwatch:PutMetricData", "securityhub:BatchUpdateFindings" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "member_orchestrator" } ], "RoleName": "SO0111-SHARR-Orchestrator-Member" }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] }, "guard": { "SuppressedRules": [ "IAM_NO_INLINE_POLICY_CHECK" ] } } }, "ASRRemediationPolicyCreateCloudTrailMultiRegionTrail7713D52C": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "cloudtrail:CreateTrail", "cloudtrail:UpdateTrail", "cloudtrail:StartLogging" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "s3:CreateBucket", "s3:PutEncryptionConfiguration", "s3:PutBucketPublicAccessBlock", "s3:PutBucketLogging", "s3:PutBucketAcl", "s3:PutBucketPolicy", "s3:PutBucketOwnershipControls" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::so0111-*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyCreateCloudTrailMultiRegionTrail7713D52C", "Roles": [ { "Ref": "RemediationRoleCreateCloudTrailMultiRegionTrailMemberAccountRoleF70577FF" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions." } ] } } }, "RemediationRoleCreateCloudTrailMultiRegionTrailSHARRMemberBasePolicyA86222AF": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-CreateCloudTrailMultiRegionTrail-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-CreateCloudTrailMultiRegionTrail-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-CreateCloudTrailMultiRegionTrail-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleCreateCloudTrailMultiRegionTrailSHARRMemberBasePolicyA86222AF", "Roles": [ { "Ref": "RemediationRoleCreateCloudTrailMultiRegionTrailMemberAccountRoleF70577FF" } ] } }, "RemediationRoleCreateCloudTrailMultiRegionTrailMemberAccountRoleF70577FF": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-CreateCloudTrailMultiRegionTrail-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyCreateLogMetricFilterAndAlarm8937C9B2": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:PutMetricFilter", "cloudwatch:PutMetricAlarm" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:*:", { "Ref": "AWS::AccountId" }, ":log-group:*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":cloudwatch:*:", { "Ref": "AWS::AccountId" }, ":alarm:*" ] ] } ] }, { "Action": [ "sns:CreateTopic", "sns:SetTopicAttributes" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":sns:*:", { "Ref": "AWS::AccountId" }, ":SO0111-SHARR-LocalAlarmNotification" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyCreateLogMetricFilterAndAlarm8937C9B2", "Roles": [ { "Ref": "RemediationRoleCreateLogMetricFilterAndAlarmMemberAccountRoleAA3E3C8A" } ] } }, "RemediationRoleCreateLogMetricFilterAndAlarmSHARRMemberBasePolicy2AFEEF94": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-CreateLogMetricFilterAndAlarm-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-CreateLogMetricFilterAndAlarm-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-CreateLogMetricFilterAndAlarm-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleCreateLogMetricFilterAndAlarmSHARRMemberBasePolicy2AFEEF94", "Roles": [ { "Ref": "RemediationRoleCreateLogMetricFilterAndAlarmMemberAccountRoleAA3E3C8A" } ] } }, "RemediationRoleCreateLogMetricFilterAndAlarmMemberAccountRoleAA3E3C8A": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-CreateLogMetricFilterAndAlarm-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableAutoScalingGroupELBHealthCheckF0CEBAAC": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "autoscaling:UpdateAutoScalingGroup", "autoscaling:DescribeAutoScalingGroups" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableAutoScalingGroupELBHealthCheckF0CEBAAC", "Roles": [ { "Ref": "RemediationRoleEnableAutoScalingGroupELBHealthCheckMemberAccountRole03AE4AEA" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* ASG." } ] } } }, "RemediationRoleEnableAutoScalingGroupELBHealthCheckSHARRMemberBasePolicy3ED01525": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableAutoScalingGroupELBHealthCheck-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-EnableAutoScalingGroupELBHealthCheck-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableAutoScalingGroupELBHealthCheck-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableAutoScalingGroupELBHealthCheckSHARRMemberBasePolicy3ED01525", "Roles": [ { "Ref": "RemediationRoleEnableAutoScalingGroupELBHealthCheckMemberAccountRole03AE4AEA" } ] } }, "RemediationRoleEnableAutoScalingGroupELBHealthCheckMemberAccountRole03AE4AEA": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableAutoScalingGroupELBHealthCheck-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableAWSConfig9DF637C7": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "iam:GetRole", "iam:PassRole" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-CreateAccessLoggingBucket-", { "Ref": "Namespace" } ] ] } ] }, { "Action": [ "sns:CreateTopic", "sns:SetTopicAttributes" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":sns:*:", { "Ref": "AWS::AccountId" }, ":SO0111-SHARR-AWSConfigNotification" ] ] } }, { "Action": "ssm:StartAutomationExecution", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/ASR-CreateAccessLoggingBucket:*" ] ] } }, { "Action": [ "ssm:GetAutomationExecution", "config:PutConfigurationRecorder", "config:PutDeliveryChannel", "config:DescribeConfigurationRecorders", "config:StartConfigurationRecorder", "config:DescribeDeliveryChannels", "config:DescribeConfigurationRecorderStatus" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "s3:CreateBucket", "s3:PutEncryptionConfiguration", "s3:PutBucketPublicAccessBlock", "s3:PutBucketLogging", "s3:PutBucketAcl", "s3:PutBucketPolicy" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::so0111-*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableAWSConfig9DF637C7", "Roles": [ { "Ref": "RemediationRoleEnableAWSConfigMemberAccountRole3914B25F" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* resource." } ] } } }, "RemediationRoleEnableAWSConfigSHARRMemberBasePolicy535B8C0F": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableAWSConfig-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-EnableAWSConfig-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableAWSConfig-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableAWSConfigSHARRMemberBasePolicy535B8C0F", "Roles": [ { "Ref": "RemediationRoleEnableAWSConfigMemberAccountRole3914B25F" } ] } }, "RemediationRoleEnableAWSConfigMemberAccountRole3914B25F": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableAWSConfig-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableCloudTrailToCloudWatchLoggingAA242151": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "cloudtrail:UpdateTrail", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":cloudtrail:*:", { "Ref": "AWS::AccountId" }, ":trail/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "ctcwremediationrole7AB69D0B", "Arn" ] } }, { "Action": [ "logs:CreateLogGroup", "logs:DescribeLogGroups" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableCloudTrailToCloudWatchLoggingAA242151", "Roles": [ { "Ref": "RemediationRoleEnableCloudTrailToCloudWatchLoggingMemberAccountRoleE7E9C206" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow creation and description of any log group" }, { "id": "W28", "reason": "Static resource names are required to enable cross-account functionality" } ] } } }, "ctcwremediationrole7AB69D0B": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": { "Fn::Join": [ "", [ "cloudtrail.", { "Ref": "AWS::URLSuffix" } ] ] } } } ], "Version": "2012-10-17" }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": "logs:CreateLogStream", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:*:*:log-group:*" ] ] } }, { "Action": "logs:PutLogEvents", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:*:*:log-group:*:log-stream:*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "default_lambdaPolicy" } ], "RoleName": { "Fn::Join": [ "", [ "SO0111-CloudTrailToCloudWatchLogs-", { "Ref": "Namespace" } ] ] } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] }, "guard": { "SuppressedRules": [ "IAM_NO_INLINE_POLICY_CHECK" ] } } }, "RemediationRoleEnableCloudTrailToCloudWatchLoggingSHARRMemberBasePolicy0E4130D5": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableCloudTrailToCloudWatchLogging-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-EnableCloudTrailToCloudWatchLogging-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableCloudTrailToCloudWatchLogging-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableCloudTrailToCloudWatchLoggingSHARRMemberBasePolicy0E4130D5", "Roles": [ { "Ref": "RemediationRoleEnableCloudTrailToCloudWatchLoggingMemberAccountRoleE7E9C206" } ] } }, "RemediationRoleEnableCloudTrailToCloudWatchLoggingMemberAccountRoleE7E9C206": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableCloudTrailToCloudWatchLogging-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableCloudTrailEncryptionA9BFF78B": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "cloudtrail:UpdateTrail", "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableCloudTrailEncryptionA9BFF78B", "Roles": [ { "Ref": "RemediationRoleEnableCloudTrailEncryptionMemberAccountRoleA936699B" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions." } ] } } }, "RemediationRoleEnableCloudTrailEncryptionSHARRMemberBasePolicy6489774E": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableCloudTrailEncryption-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-EnableCloudTrailEncryption-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableCloudTrailEncryption-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableCloudTrailEncryptionSHARRMemberBasePolicy6489774E", "Roles": [ { "Ref": "RemediationRoleEnableCloudTrailEncryptionMemberAccountRoleA936699B" } ] } }, "RemediationRoleEnableCloudTrailEncryptionMemberAccountRoleA936699B": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableCloudTrailEncryption-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableDefaultEncryptionS3281EC5FA": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:PutEncryptionConfiguration", "kms:GenerateDataKey" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableDefaultEncryptionS3281EC5FA", "Roles": [ { "Ref": "RemediationRoleEnableDefaultEncryptionS3MemberAccountRoleD9D87C04" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions." } ] } } }, "RemediationRoleEnableDefaultEncryptionS3SHARRMemberBasePolicyB6B36B9A": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableDefaultEncryptionS3-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-EnableDefaultEncryptionS3-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableDefaultEncryptionS3-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableDefaultEncryptionS3SHARRMemberBasePolicyB6B36B9A", "Roles": [ { "Ref": "RemediationRoleEnableDefaultEncryptionS3MemberAccountRoleD9D87C04" } ] } }, "RemediationRoleEnableDefaultEncryptionS3MemberAccountRoleD9D87C04": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableDefaultEncryptionS3-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableVPCFlowLogsB7CEF42E": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "ec2:CreateFlowLogs", "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ec2:*:", { "Ref": "AWS::AccountId" }, ":vpc/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ec2:*:", { "Ref": "AWS::AccountId" }, ":vpc-flow-log/*" ] ] } ] }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableVPCFlowLogs-remediationRole-", { "Ref": "Namespace" } ] ] } }, { "Action": "ssm:GetParameter", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/SO0111/CMK_REMEDIATION_ARN" ] ] } }, { "Action": [ "ec2:DescribeFlowLogs", "logs:CreateLogGroup", "logs:DescribeLogGroups" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableVPCFlowLogsB7CEF42E", "Roles": [ { "Ref": "RemediationRoleEnableVPCFlowLogsMemberAccountRoleB79F3729" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* resources." } ] } } }, "EnableVPCFlowLogsremediationrole00848CDF": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "vpc-flow-logs.amazonaws.com" } } ], "Version": "2012-10-17" }, "Policies": [ { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "default_lambdaPolicy" } ], "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableVPCFlowLogs-remediationRole-", { "Ref": "Namespace" } ] ] } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] }, "guard": { "SuppressedRules": [ "IAM_NO_INLINE_POLICY_CHECK" ] } } }, "RemediationRoleEnableVPCFlowLogsSHARRMemberBasePolicy0D33A918": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableVPCFlowLogs-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-EnableVPCFlowLogs-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableVPCFlowLogs-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableVPCFlowLogsSHARRMemberBasePolicy0D33A918", "Roles": [ { "Ref": "RemediationRoleEnableVPCFlowLogsMemberAccountRoleB79F3729" } ] } }, "RemediationRoleEnableVPCFlowLogsMemberAccountRoleB79F3729": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableVPCFlowLogs-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyCreateAccessLoggingBucketE3EEC590": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:CreateBucket", "s3:PutEncryptionConfiguration", "s3:PutBucketAcl", "s3:PutBucketOwnershipControls" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyCreateAccessLoggingBucketE3EEC590", "Roles": [ { "Ref": "RemediationRoleCreateAccessLoggingBucketMemberAccountRole3E1569D8" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* resources." } ] } } }, "RemediationRoleCreateAccessLoggingBucketSHARRMemberBasePolicy0B9908F2": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-CreateAccessLoggingBucket-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-CreateAccessLoggingBucket-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-CreateAccessLoggingBucket-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleCreateAccessLoggingBucketSHARRMemberBasePolicy0B9908F2", "Roles": [ { "Ref": "RemediationRoleCreateAccessLoggingBucketMemberAccountRole3E1569D8" } ] } }, "RemediationRoleCreateAccessLoggingBucketMemberAccountRole3E1569D8": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-CreateAccessLoggingBucket-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyMakeEBSSnapshotsPrivate8E0355EB": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ec2:ModifySnapshotAttribute", "ec2:DescribeSnapshots" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyMakeEBSSnapshotsPrivate8E0355EB", "Roles": [ { "Ref": "RemediationRoleMakeEBSSnapshotsPrivateMemberAccountRoleFA05CFAF" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* snapshot." } ] } } }, "RemediationRoleMakeEBSSnapshotsPrivateSHARRMemberBasePolicy7DE85B9C": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-MakeEBSSnapshotsPrivate-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-MakeEBSSnapshotsPrivate-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-MakeEBSSnapshotsPrivate-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleMakeEBSSnapshotsPrivateSHARRMemberBasePolicy7DE85B9C", "Roles": [ { "Ref": "RemediationRoleMakeEBSSnapshotsPrivateMemberAccountRoleFA05CFAF" } ] } }, "RemediationRoleMakeEBSSnapshotsPrivateMemberAccountRoleFA05CFAF": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-MakeEBSSnapshotsPrivate-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyMakeRDSSnapshotPrivate384830D9": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "rds:ModifyDBSnapshotAttribute", "rds:ModifyDBClusterSnapshotAttribute" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyMakeRDSSnapshotPrivate384830D9", "Roles": [ { "Ref": "RemediationRoleMakeRDSSnapshotPrivateMemberAccountRole6760FE6D" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* snapshot." } ] } } }, "RemediationRoleMakeRDSSnapshotPrivateSHARRMemberBasePolicyFF0FBF31": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-MakeRDSSnapshotPrivate-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-MakeRDSSnapshotPrivate-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-MakeRDSSnapshotPrivate-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleMakeRDSSnapshotPrivateSHARRMemberBasePolicyFF0FBF31", "Roles": [ { "Ref": "RemediationRoleMakeRDSSnapshotPrivateMemberAccountRole6760FE6D" } ] } }, "RemediationRoleMakeRDSSnapshotPrivateMemberAccountRole6760FE6D": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-MakeRDSSnapshotPrivate-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyRemoveLambdaPublicAccessE64C4109": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "lambda:GetPolicy", "lambda:RemovePermission" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyRemoveLambdaPublicAccessE64C4109", "Roles": [ { "Ref": "RemediationRoleRemoveLambdaPublicAccessMemberAccountRoleB266862C" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleRemoveLambdaPublicAccessSHARRMemberBasePolicy6AACE4BE": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-RemoveLambdaPublicAccess-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-RemoveLambdaPublicAccess-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-RemoveLambdaPublicAccess-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleRemoveLambdaPublicAccessSHARRMemberBasePolicy6AACE4BE", "Roles": [ { "Ref": "RemediationRoleRemoveLambdaPublicAccessMemberAccountRoleB266862C" } ] } }, "RemediationRoleRemoveLambdaPublicAccessMemberAccountRoleB266862C": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-RemoveLambdaPublicAccess-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyRevokeUnrotatedKeys25EB4C63": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "iam:UpdateAccessKey", "iam:ListAccessKeys", "iam:GetAccessKeyLastUsed", "iam:GetUser" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":user/*" ] ] } }, { "Action": "config:ListDiscoveredResources", "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyRevokeUnrotatedKeys25EB4C63", "Roles": [ { "Ref": "RemediationRoleRevokeUnrotatedKeysMemberAccountRoleBC193A84" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleRevokeUnrotatedKeysSHARRMemberBasePolicy493293CA": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-RevokeUnrotatedKeys-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-RevokeUnrotatedKeys-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-RevokeUnrotatedKeys-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleRevokeUnrotatedKeysSHARRMemberBasePolicy493293CA", "Roles": [ { "Ref": "RemediationRoleRevokeUnrotatedKeysMemberAccountRoleBC193A84" } ] } }, "RemediationRoleRevokeUnrotatedKeysMemberAccountRoleBC193A84": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-RevokeUnrotatedKeys-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicySetSSLBucketPolicy0C3B0C4F": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetBucketPolicy", "s3:PutBucketPolicy" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicySetSSLBucketPolicy0C3B0C4F", "Roles": [ { "Ref": "RemediationRoleSetSSLBucketPolicyMemberAccountRoleD6BB5274" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* resource." } ] } } }, "RemediationRoleSetSSLBucketPolicySHARRMemberBasePolicy21EBF952": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SetSSLBucketPolicy-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-SetSSLBucketPolicy-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SetSSLBucketPolicy-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleSetSSLBucketPolicySHARRMemberBasePolicy21EBF952", "Roles": [ { "Ref": "RemediationRoleSetSSLBucketPolicyMemberAccountRoleD6BB5274" } ] } }, "RemediationRoleSetSSLBucketPolicyMemberAccountRoleD6BB5274": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-SetSSLBucketPolicy-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyReplaceCodeBuildClearTextCredentials41F60669": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "codeBuild:BatchGetProjects", "codeBuild:UpdateProject", "ssm:PutParameter", "iam:CreatePolicy" ], "Effect": "Allow", "Resource": "*" }, { "Action": "iam:AttachRolePolicy", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/service-role/*" ] ] } }, { "Action": "iam:AttachRolePolicy", "Effect": "Deny", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ReplaceCodeBuildClearTextCredentials-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyReplaceCodeBuildClearTextCredentials41F60669", "Roles": [ { "Ref": "RemediationRoleReplaceCodeBuildClearTextCredentialsMemberAccountRoleAEEA6C96" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* resource." } ] } } }, "RemediationRoleReplaceCodeBuildClearTextCredentialsSHARRMemberBasePolicy93CBC55E": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ReplaceCodeBuildClearTextCredentials-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-ReplaceCodeBuildClearTextCredentials-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ReplaceCodeBuildClearTextCredentials-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleReplaceCodeBuildClearTextCredentialsSHARRMemberBasePolicy93CBC55E", "Roles": [ { "Ref": "RemediationRoleReplaceCodeBuildClearTextCredentialsMemberAccountRoleAEEA6C96" } ] } }, "RemediationRoleReplaceCodeBuildClearTextCredentialsMemberAccountRoleAEEA6C96": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-ReplaceCodeBuildClearTextCredentials-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyS3BlockDenylist09CFB29B": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:PutBucketPolicy", "s3:GetBucketPolicy" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyS3BlockDenylist09CFB29B", "Roles": [ { "Ref": "RemediationRoleS3BlockDenylistMemberAccountRoleDFABBAB3" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* resource." } ] } } }, "RemediationRoleS3BlockDenylistSHARRMemberBasePolicyFEAC9691": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-S3BlockDenylist-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-S3BlockDenylist-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-S3BlockDenylist-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleS3BlockDenylistSHARRMemberBasePolicyFEAC9691", "Roles": [ { "Ref": "RemediationRoleS3BlockDenylistMemberAccountRoleDFABBAB3" } ] } }, "RemediationRoleS3BlockDenylistMemberAccountRoleDFABBAB3": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-S3BlockDenylist-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEncryptRDSSnapshot977A3E1D": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "rds:AddTagsToResource", "rds:CopyDBSnapshot", "rds:CopyDBClusterSnapshot", "rds:DescribeDBSnapshots", "rds:DescribeDBClusterSnapshots", "rds:DeleteDBSnapshot", "rds:DeleteDBClusterSnapshots" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEncryptRDSSnapshot977A3E1D", "Roles": [ { "Ref": "RemediationRoleEncryptRDSSnapshotMemberAccountRole5D2C905F" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* resource." } ] } } }, "RemediationRoleEncryptRDSSnapshotSHARRMemberBasePolicyB377E8DA": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EncryptRDSSnapshot-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-EncryptRDSSnapshot-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EncryptRDSSnapshot-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEncryptRDSSnapshotSHARRMemberBasePolicyB377E8DA", "Roles": [ { "Ref": "RemediationRoleEncryptRDSSnapshotMemberAccountRole5D2C905F" } ] } }, "RemediationRoleEncryptRDSSnapshotMemberAccountRole5D2C905F": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EncryptRDSSnapshot-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyDisablePublicAccessToRedshiftCluster66BC092B": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "redshift:ModifyCluster", "redshift:DescribeClusters" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyDisablePublicAccessToRedshiftCluster66BC092B", "Roles": [ { "Ref": "RemediationRoleDisablePublicAccessToRedshiftClusterMemberAccountRole87AA27A6" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleDisablePublicAccessToRedshiftClusterSHARRMemberBasePolicy071786CD": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-DisablePublicAccessToRedshiftCluster-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-DisablePublicAccessToRedshiftCluster-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-DisablePublicAccessToRedshiftCluster-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleDisablePublicAccessToRedshiftClusterSHARRMemberBasePolicy071786CD", "Roles": [ { "Ref": "RemediationRoleDisablePublicAccessToRedshiftClusterMemberAccountRole87AA27A6" } ] } }, "RemediationRoleDisablePublicAccessToRedshiftClusterMemberAccountRole87AA27A6": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-DisablePublicAccessToRedshiftCluster-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableRedshiftClusterAuditLoggingD5BE977C": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "redshift:DescribeLoggingStatus", "redshift:EnableLogging", "s3:PutObject" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableRedshiftClusterAuditLoggingD5BE977C", "Roles": [ { "Ref": "RemediationRoleEnableRedshiftClusterAuditLoggingMemberAccountRoleD7AC224E" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleEnableRedshiftClusterAuditLoggingSHARRMemberBasePolicyFB2EC252": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableRedshiftClusterAuditLogging-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-EnableRedshiftClusterAuditLogging-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableRedshiftClusterAuditLogging-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableRedshiftClusterAuditLoggingSHARRMemberBasePolicyFB2EC252", "Roles": [ { "Ref": "RemediationRoleEnableRedshiftClusterAuditLoggingMemberAccountRoleD7AC224E" } ] } }, "RemediationRoleEnableRedshiftClusterAuditLoggingMemberAccountRoleD7AC224E": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableRedshiftClusterAuditLogging-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableAutomaticVersionUpgradeOnRedshiftCluster5A0C15D8": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "redshift:ModifyCluster", "redshift:DescribeClusters" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableAutomaticVersionUpgradeOnRedshiftCluster5A0C15D8", "Roles": [ { "Ref": "RemediationRoleEnableAutomaticVersionUpgradeOnRedshiftClusterMemberAccountRoleADCE761E" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleEnableAutomaticVersionUpgradeOnRedshiftClusterSHARRMemberBasePolicyFEA51B64": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableAutomaticVersionUpgradeOnRedshiftCluster-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-EnableAutomaticVersionUpgradeOnRedshiftCluster-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableAutomaticVersionUpgradeOnRedshiftCluster-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableAutomaticVersionUpgradeOnRedshiftClusterSHARRMemberBasePolicyFEA51B64", "Roles": [ { "Ref": "RemediationRoleEnableAutomaticVersionUpgradeOnRedshiftClusterMemberAccountRoleADCE761E" } ] } }, "RemediationRoleEnableAutomaticVersionUpgradeOnRedshiftClusterMemberAccountRoleADCE761E": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableAutomaticVersionUpgradeOnRedshiftCluster-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableAutomaticSnapshotsOnRedshiftClusterC0A2A72C": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "redshift:ModifyCluster", "redshift:DescribeClusters" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableAutomaticSnapshotsOnRedshiftClusterC0A2A72C", "Roles": [ { "Ref": "RemediationRoleEnableAutomaticSnapshotsOnRedshiftClusterMemberAccountRole13857606" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleEnableAutomaticSnapshotsOnRedshiftClusterSHARRMemberBasePolicyB55A3D11": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableAutomaticSnapshotsOnRedshiftCluster-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-EnableAutomaticSnapshotsOnRedshiftCluster-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableAutomaticSnapshotsOnRedshiftCluster-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableAutomaticSnapshotsOnRedshiftClusterSHARRMemberBasePolicyB55A3D11", "Roles": [ { "Ref": "RemediationRoleEnableAutomaticSnapshotsOnRedshiftClusterMemberAccountRole13857606" } ] } }, "RemediationRoleEnableAutomaticSnapshotsOnRedshiftClusterMemberAccountRole13857606": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableAutomaticSnapshotsOnRedshiftCluster-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyCreateIAMSupportRole28E10C2E": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "iam:GetRole", "iam:CreateRole", "iam:AttachRolePolicy", "iam:TagRole" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/aws_incident_support_role" ] ] } }, { "Action": "iam:AttachRolePolicy", "Effect": "Deny", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-CreateIAMSupportRole-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyCreateIAMSupportRole28E10C2E", "Roles": [ { "Ref": "RemediationRoleCreateIAMSupportRoleMemberAccountRoleFD80F5F3" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions." } ] } } }, "RemediationRoleCreateIAMSupportRoleSHARRMemberBasePolicyB811FF40": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-CreateIAMSupportRole-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-CreateIAMSupportRole-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-CreateIAMSupportRole-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleCreateIAMSupportRoleSHARRMemberBasePolicyB811FF40", "Roles": [ { "Ref": "RemediationRoleCreateIAMSupportRoleMemberAccountRoleFD80F5F3" } ] } }, "RemediationRoleCreateIAMSupportRoleMemberAccountRoleFD80F5F3": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-CreateIAMSupportRole-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableEncryptionForSQSQueueB4AC4CBC": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "sqs:GetQueueUrl", "sqs:SetQueueAttributes", "sqs:GetQueueAttributes" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableEncryptionForSQSQueueB4AC4CBC", "Roles": [ { "Ref": "RemediationRoleEnableEncryptionForSQSQueueMemberAccountRole7976F712" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleEnableEncryptionForSQSQueueSHARRMemberBasePolicy2088FE8D": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableEncryptionForSQSQueue-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-EnableEncryptionForSQSQueue-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableEncryptionForSQSQueue-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableEncryptionForSQSQueueSHARRMemberBasePolicy2088FE8D", "Roles": [ { "Ref": "RemediationRoleEnableEncryptionForSQSQueueMemberAccountRole7976F712" } ] } }, "RemediationRoleEnableEncryptionForSQSQueueMemberAccountRole7976F712": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableEncryptionForSQSQueue-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyConfigureSNSTopicForStackEB0051E6": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "cloudformation:DescribeStacks", "cloudformation:UpdateStack" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "sns:CreateTopic", "sns:Publish" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":sns:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":SO0111-ASR-CloudFormationNotifications" ] ] } }, { "Action": [ "servicecatalog:GetApplication", "iam:GetRole" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyConfigureSNSTopicForStackEB0051E6", "Roles": [ { "Ref": "RemediationRoleConfigureSNSTopicForStackMemberAccountRoleF91254E5" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation." } ] } } }, "RemediationRoleConfigureSNSTopicForStackSHARRMemberBasePolicyB95FE457": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ConfigureSNSTopicForStack-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-ConfigureSNSTopicForStack-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ConfigureSNSTopicForStack-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleConfigureSNSTopicForStackSHARRMemberBasePolicyB95FE457", "Roles": [ { "Ref": "RemediationRoleConfigureSNSTopicForStackMemberAccountRoleF91254E5" } ] } }, "RemediationRoleConfigureSNSTopicForStackMemberAccountRoleF91254E5": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-ConfigureSNSTopicForStack-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyConfigureS3BucketLogging72C5B50E": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:PutBucketLogging", "s3:CreateBucket", "s3:PutEncryptionConfiguration", "s3:PutBucketAcl" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyConfigureS3BucketLogging72C5B50E", "Roles": [ { "Ref": "RemediationRoleConfigureS3BucketLoggingMemberAccountRoleE068390D" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* resource." } ] } } }, "RemediationRoleConfigureS3BucketLoggingSHARRMemberBasePolicyAC4F82A8": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ConfigureS3BucketLogging-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-ConfigureS3BucketLogging-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ConfigureS3BucketLogging-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleConfigureS3BucketLoggingSHARRMemberBasePolicyAC4F82A8", "Roles": [ { "Ref": "RemediationRoleConfigureS3BucketLoggingMemberAccountRoleE068390D" } ] } }, "RemediationRoleConfigureS3BucketLoggingMemberAccountRoleE068390D": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-ConfigureS3BucketLogging-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyDisablePublicAccessForSecurityGroup8796016C": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ec2:DescribeSecurityGroupReferences", "ec2:DescribeSecurityGroups", "ec2:UpdateSecurityGroupRuleDescriptionsEgress", "ec2:UpdateSecurityGroupRuleDescriptionsIngress", "ec2:RevokeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyDisablePublicAccessForSecurityGroup8796016C", "Roles": [ { "Ref": "RemediationRoleDisablePublicAccessForSecurityGroupMemberAccountRole3BED8BF4" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* resource." } ] } } }, "RemediationRoleDisablePublicAccessForSecurityGroupSHARRMemberBasePolicy3076FC8A": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-DisablePublicAccessForSecurityGroup-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-DisablePublicAccessForSecurityGroup-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-DisablePublicAccessForSecurityGroup-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleDisablePublicAccessForSecurityGroupSHARRMemberBasePolicy3076FC8A", "Roles": [ { "Ref": "RemediationRoleDisablePublicAccessForSecurityGroupMemberAccountRole3BED8BF4" } ] } }, "RemediationRoleDisablePublicAccessForSecurityGroupMemberAccountRole3BED8BF4": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-DisablePublicAccessForSecurityGroup-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyConfigureS3BucketPublicAccessBlock64F47C51": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:PutBucketPublicAccessBlock", "s3:GetBucketPublicAccessBlock" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyConfigureS3BucketPublicAccessBlock64F47C51", "Roles": [ { "Ref": "RemediationRoleConfigureS3BucketPublicAccessBlockMemberAccountRoleC78F6EE7" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* resource." } ] } } }, "RemediationRoleConfigureS3BucketPublicAccessBlockSHARRMemberBasePolicyB9DCBD99": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ConfigureS3BucketPublicAccessBlock-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-ConfigureS3BucketPublicAccessBlock-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ConfigureS3BucketPublicAccessBlock-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleConfigureS3BucketPublicAccessBlockSHARRMemberBasePolicyB9DCBD99", "Roles": [ { "Ref": "RemediationRoleConfigureS3BucketPublicAccessBlockMemberAccountRoleC78F6EE7" } ] } }, "RemediationRoleConfigureS3BucketPublicAccessBlockMemberAccountRoleC78F6EE7": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-ConfigureS3BucketPublicAccessBlock-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyConfigureS3PublicAccessBlockD812FED9": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:PutAccountPublicAccessBlock", "s3:GetAccountPublicAccessBlock" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyConfigureS3PublicAccessBlockD812FED9", "Roles": [ { "Ref": "RemediationRoleConfigureS3PublicAccessBlockMemberAccountRole98A4BC1D" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* resource." } ] } } }, "RemediationRoleConfigureS3PublicAccessBlockSHARRMemberBasePolicy26BF29A6": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ConfigureS3PublicAccessBlock-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-ConfigureS3PublicAccessBlock-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ConfigureS3PublicAccessBlock-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleConfigureS3PublicAccessBlockSHARRMemberBasePolicy26BF29A6", "Roles": [ { "Ref": "RemediationRoleConfigureS3PublicAccessBlockMemberAccountRole98A4BC1D" } ] } }, "RemediationRoleConfigureS3PublicAccessBlockMemberAccountRole98A4BC1D": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-ConfigureS3PublicAccessBlock-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableCloudTrailLogFileValidationAD33D09E": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "cloudtrail:UpdateTrail", "cloudtrail:GetTrail" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":cloudtrail:*:", { "Ref": "AWS::AccountId" }, ":trail/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableCloudTrailLogFileValidationAD33D09E", "Roles": [ { "Ref": "RemediationRoleEnableCloudTrailLogFileValidationMemberAccountRole3F5F7157" } ] } }, "RemediationRoleEnableCloudTrailLogFileValidationSHARRMemberBasePolicy85A07C2D": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableCloudTrailLogFileValidation-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-EnableCloudTrailLogFileValidation-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableCloudTrailLogFileValidation-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableCloudTrailLogFileValidationSHARRMemberBasePolicy85A07C2D", "Roles": [ { "Ref": "RemediationRoleEnableCloudTrailLogFileValidationMemberAccountRole3F5F7157" } ] } }, "RemediationRoleEnableCloudTrailLogFileValidationMemberAccountRole3F5F7157": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableCloudTrailLogFileValidation-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableEbsEncryptionByDefault7AA2FA46": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ec2:EnableEBSEncryptionByDefault", "ec2:GetEbsEncryptionByDefault" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableEbsEncryptionByDefault7AA2FA46", "Roles": [ { "Ref": "RemediationRoleEnableEbsEncryptionByDefaultMemberAccountRoleDF17FF59" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* resource." } ] } } }, "RemediationRoleEnableEbsEncryptionByDefaultSHARRMemberBasePolicy77CF4834": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableEbsEncryptionByDefault-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-EnableEbsEncryptionByDefault-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableEbsEncryptionByDefault-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableEbsEncryptionByDefaultSHARRMemberBasePolicy77CF4834", "Roles": [ { "Ref": "RemediationRoleEnableEbsEncryptionByDefaultMemberAccountRoleDF17FF59" } ] } }, "RemediationRoleEnableEbsEncryptionByDefaultMemberAccountRoleDF17FF59": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableEbsEncryptionByDefault-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableEnhancedMonitoringOnRDSInstance7CF36749": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "iam:GetRole", "iam:PassRole" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-RDSMonitoring-remediationRole-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "rds:DescribeDBInstances", "rds:ModifyDBInstance" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableEnhancedMonitoringOnRDSInstance7CF36749", "Roles": [ { "Ref": "RemediationRoleEnableEnhancedMonitoringOnRDSInstanceMemberAccountRoleB3EFCB99" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* RDS database." } ] } } }, "RemediationRoleEnableEnhancedMonitoringOnRDSInstanceSHARRMemberBasePolicy4D03FBD0": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableEnhancedMonitoringOnRDSInstance-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-EnableEnhancedMonitoringOnRDSInstance-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableEnhancedMonitoringOnRDSInstance-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableEnhancedMonitoringOnRDSInstanceSHARRMemberBasePolicy4D03FBD0", "Roles": [ { "Ref": "RemediationRoleEnableEnhancedMonitoringOnRDSInstanceMemberAccountRoleB3EFCB99" } ] } }, "RemediationRoleEnableEnhancedMonitoringOnRDSInstanceMemberAccountRoleB3EFCB99": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableEnhancedMonitoringOnRDSInstance-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "Rds6EnhancedMonitoringRoleRDS6EnhancedMonitoringPolicyA2EB4EE9": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:PutRetentionPolicy" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:*:", { "Ref": "AWS::AccountId" }, ":log-group:RDS*" ] ] }, "Sid": "EnableCreationAndManagementOfRDSCloudwatchLogGroups" }, { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams", "logs:GetLogEvents" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":logs:*:", { "Ref": "AWS::AccountId" }, ":log-group:RDS*:log-stream:*" ] ] }, "Sid": "EnableCreationAndManagementOfRDSCloudwatchLogStreams" } ], "Version": "2012-10-17" }, "PolicyName": "Rds6EnhancedMonitoringRoleRDS6EnhancedMonitoringPolicyA2EB4EE9", "Roles": [ { "Ref": "Rds6EnhancedMonitoringRole2FD1E9A5" } ] } }, "Rds6EnhancedMonitoringRole2FD1E9A5": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "monitoring.rds.amazonaws.com" } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-RDSMonitoring-remediationRole-", { "Ref": "Namespace" } ] ] } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W28", "reason": "Static names required to allow use in automated remediation runbooks." } ] } } }, "ASRRemediationPolicyEnableKeyRotation44A8458E": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "kms:EnableKeyRotation", "kms:GetKeyRotationStatus" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableKeyRotation44A8458E", "Roles": [ { "Ref": "RemediationRoleEnableKeyRotationMemberAccountRole2366F17F" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* resource." } ] } } }, "RemediationRoleEnableKeyRotationSHARRMemberBasePolicyA6E832D4": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableKeyRotation-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-EnableKeyRotation-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableKeyRotation-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableKeyRotationSHARRMemberBasePolicyA6E832D4", "Roles": [ { "Ref": "RemediationRoleEnableKeyRotationMemberAccountRole2366F17F" } ] } }, "RemediationRoleEnableKeyRotationMemberAccountRole2366F17F": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableKeyRotation-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableRDSClusterDeletionProtectionCD3F43B5": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "iam:GetRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/RDSEnhancedMonitoringRole" ] ] } }, { "Action": "config:GetResourceConfigHistory", "Effect": "Allow", "Resource": "*" }, { "Action": [ "rds:DescribeDBClusters", "rds:ModifyDBCluster", "rds:ModifyDBInstance" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableRDSClusterDeletionProtectionCD3F43B5", "Roles": [ { "Ref": "RemediationRoleEnableRDSClusterDeletionProtectionMemberAccountRole019A1667" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* RDS database." } ] } } }, "RemediationRoleEnableRDSClusterDeletionProtectionSHARRMemberBasePolicy90D2EA44": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableRDSClusterDeletionProtection-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-EnableRDSClusterDeletionProtection-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableRDSClusterDeletionProtection-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableRDSClusterDeletionProtectionSHARRMemberBasePolicy90D2EA44", "Roles": [ { "Ref": "RemediationRoleEnableRDSClusterDeletionProtectionMemberAccountRole019A1667" } ] } }, "RemediationRoleEnableRDSClusterDeletionProtectionMemberAccountRole019A1667": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableRDSClusterDeletionProtection-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableCopyTagsToSnapshotOnRDSCluster28EA92EB": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "iam:GetRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/RDSEnhancedMonitoringRole" ] ] } }, { "Action": "config:GetResourceConfigHistory", "Effect": "Allow", "Resource": "*" }, { "Action": [ "rds:DescribeDBClusters", "rds:ModifyDBCluster" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableCopyTagsToSnapshotOnRDSCluster28EA92EB", "Roles": [ { "Ref": "RemediationRoleEnableCopyTagsToSnapshotOnRDSClusterMemberAccountRole026ECDEE" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* RDS database." } ] } } }, "RemediationRoleEnableCopyTagsToSnapshotOnRDSClusterSHARRMemberBasePolicy5F24C304": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableCopyTagsToSnapshotOnRDSCluster-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-EnableCopyTagsToSnapshotOnRDSCluster-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableCopyTagsToSnapshotOnRDSCluster-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableCopyTagsToSnapshotOnRDSClusterSHARRMemberBasePolicy5F24C304", "Roles": [ { "Ref": "RemediationRoleEnableCopyTagsToSnapshotOnRDSClusterMemberAccountRole026ECDEE" } ] } }, "RemediationRoleEnableCopyTagsToSnapshotOnRDSClusterMemberAccountRole026ECDEE": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableCopyTagsToSnapshotOnRDSCluster-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableRDSInstanceDeletionProtectionC88D4896": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "rds:DescribeDBInstances", "rds:ModifyDBInstance" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableRDSInstanceDeletionProtectionC88D4896", "Roles": [ { "Ref": "RemediationRoleEnableRDSInstanceDeletionProtectionMemberAccountRole105E9511" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* RDS database." } ] } } }, "RemediationRoleEnableRDSInstanceDeletionProtectionSHARRMemberBasePolicy5071CD93": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableRDSInstanceDeletionProtection-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-EnableRDSInstanceDeletionProtection-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableRDSInstanceDeletionProtection-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableRDSInstanceDeletionProtectionSHARRMemberBasePolicy5071CD93", "Roles": [ { "Ref": "RemediationRoleEnableRDSInstanceDeletionProtectionMemberAccountRole105E9511" } ] } }, "RemediationRoleEnableRDSInstanceDeletionProtectionMemberAccountRole105E9511": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableRDSInstanceDeletionProtection-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableMultiAZOnRDSInstance42AE98DD": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "rds:DescribeDBInstances", "rds:ModifyDBInstance" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableMultiAZOnRDSInstance42AE98DD", "Roles": [ { "Ref": "RemediationRoleEnableMultiAZOnRDSInstanceMemberAccountRoleE0F45AF6" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for *any* RDS database." } ] } } }, "RemediationRoleEnableMultiAZOnRDSInstanceSHARRMemberBasePolicy1DE61917": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableMultiAZOnRDSInstance-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-EnableMultiAZOnRDSInstance-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableMultiAZOnRDSInstance-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableMultiAZOnRDSInstanceSHARRMemberBasePolicy1DE61917", "Roles": [ { "Ref": "RemediationRoleEnableMultiAZOnRDSInstanceMemberAccountRoleE0F45AF6" } ] } }, "RemediationRoleEnableMultiAZOnRDSInstanceMemberAccountRoleE0F45AF6": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableMultiAZOnRDSInstance-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyRemoveVPCDefaultSecurityGroupRulesCFCC9075": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ec2:UpdateSecurityGroupRuleDescriptionsEgress", "ec2:UpdateSecurityGroupRuleDescriptionsIngress", "ec2:RevokeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ec2:*:", { "Ref": "AWS::AccountId" }, ":security-group/*" ] ] } }, { "Action": [ "ec2:DescribeSecurityGroupReferences", "ec2:DescribeSecurityGroups" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyRemoveVPCDefaultSecurityGroupRulesCFCC9075", "Roles": [ { "Ref": "RemediationRoleRemoveVPCDefaultSecurityGroupRulesMemberAccountRole406D320B" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "RemediationRoleRemoveVPCDefaultSecurityGroupRulesSHARRMemberBasePolicy18B08253": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-RemoveVPCDefaultSecurityGroupRules-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-RemoveVPCDefaultSecurityGroupRules-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-RemoveVPCDefaultSecurityGroupRules-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleRemoveVPCDefaultSecurityGroupRulesSHARRMemberBasePolicy18B08253", "Roles": [ { "Ref": "RemediationRoleRemoveVPCDefaultSecurityGroupRulesMemberAccountRole406D320B" } ] } }, "RemediationRoleRemoveVPCDefaultSecurityGroupRulesMemberAccountRole406D320B": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-RemoveVPCDefaultSecurityGroupRules-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyRevokeUnusedIAMUserCredentials80B75170": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "iam:UpdateAccessKey", "iam:ListAccessKeys", "iam:GetAccessKeyLastUsed", "iam:GetUser", "iam:GetLoginProfile", "iam:DeleteLoginProfile" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":user/*" ] ] } }, { "Action": "config:ListDiscoveredResources", "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyRevokeUnusedIAMUserCredentials80B75170", "Roles": [ { "Ref": "RemediationRoleRevokeUnusedIAMUserCredentialsMemberAccountRole5C008B43" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleRevokeUnusedIAMUserCredentialsSHARRMemberBasePolicy6519E750": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-RevokeUnusedIAMUserCredentials-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-RevokeUnusedIAMUserCredentials-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-RevokeUnusedIAMUserCredentials-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleRevokeUnusedIAMUserCredentialsSHARRMemberBasePolicy6519E750", "Roles": [ { "Ref": "RemediationRoleRevokeUnusedIAMUserCredentialsMemberAccountRole5C008B43" } ] } }, "RemediationRoleRevokeUnusedIAMUserCredentialsMemberAccountRole5C008B43": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-RevokeUnusedIAMUserCredentials-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicySetIAMPasswordPolicy5DADE3C8": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "iam:UpdateAccountPasswordPolicy", "iam:GetAccountPasswordPolicy", "ec2:UpdateSecurityGroupRuleDescriptionsIngress", "ec2:RevokeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicySetIAMPasswordPolicy5DADE3C8", "Roles": [ { "Ref": "RemediationRoleSetIAMPasswordPolicyMemberAccountRoleA1FF47B4" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleSetIAMPasswordPolicySHARRMemberBasePolicy3E89D2C9": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SetIAMPasswordPolicy-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-SetIAMPasswordPolicy-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SetIAMPasswordPolicy-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleSetIAMPasswordPolicySHARRMemberBasePolicy3E89D2C9", "Roles": [ { "Ref": "RemediationRoleSetIAMPasswordPolicyMemberAccountRoleA1FF47B4" } ] } }, "RemediationRoleSetIAMPasswordPolicyMemberAccountRoleA1FF47B4": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-SetIAMPasswordPolicy-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyDisablePublicAccessToRDSInstanceCEF31FFA": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "rds:DescribeDBInstances", "rds:ModifyDBInstance" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyDisablePublicAccessToRDSInstanceCEF31FFA", "Roles": [ { "Ref": "RemediationRoleDisablePublicAccessToRDSInstanceMemberAccountRole7E0A6680" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleDisablePublicAccessToRDSInstanceSHARRMemberBasePolicyD50CB3CA": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-DisablePublicAccessToRDSInstance-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-DisablePublicAccessToRDSInstance-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-DisablePublicAccessToRDSInstance-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleDisablePublicAccessToRDSInstanceSHARRMemberBasePolicyD50CB3CA", "Roles": [ { "Ref": "RemediationRoleDisablePublicAccessToRDSInstanceMemberAccountRole7E0A6680" } ] } }, "RemediationRoleDisablePublicAccessToRDSInstanceMemberAccountRole7E0A6680": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-DisablePublicAccessToRDSInstance-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableMinorVersionUpgradeOnRDSDBInstance2413B7D6": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "rds:DescribeDBInstances", "rds:ModifyDBInstance", "rds:DescribeDBClusters", "rds:ModifyDBCluster" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableMinorVersionUpgradeOnRDSDBInstance2413B7D6", "Roles": [ { "Ref": "RemediationRoleEnableMinorVersionUpgradeOnRDSDBInstanceMemberAccountRole66157FBF" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleEnableMinorVersionUpgradeOnRDSDBInstanceSHARRMemberBasePolicyCB8B3F14": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableMinorVersionUpgradeOnRDSDBInstance-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-EnableMinorVersionUpgradeOnRDSDBInstance-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableMinorVersionUpgradeOnRDSDBInstance-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableMinorVersionUpgradeOnRDSDBInstanceSHARRMemberBasePolicyCB8B3F14", "Roles": [ { "Ref": "RemediationRoleEnableMinorVersionUpgradeOnRDSDBInstanceMemberAccountRole66157FBF" } ] } }, "RemediationRoleEnableMinorVersionUpgradeOnRDSDBInstanceMemberAccountRole66157FBF": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableMinorVersionUpgradeOnRDSDBInstance-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableEncryptionForSNSTopicA4AB21F5": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "sns:SetTopicAttributes", "sns:GetTopicAttributes" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableEncryptionForSNSTopicA4AB21F5", "Roles": [ { "Ref": "RemediationRoleEnableEncryptionForSNSTopicMemberAccountRoleA4EF5A6E" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleEnableEncryptionForSNSTopicSHARRMemberBasePolicy1899CCB2": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableEncryptionForSNSTopic-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-EnableEncryptionForSNSTopic-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableEncryptionForSNSTopic-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableEncryptionForSNSTopicSHARRMemberBasePolicy1899CCB2", "Roles": [ { "Ref": "RemediationRoleEnableEncryptionForSNSTopicMemberAccountRoleA4EF5A6E" } ] } }, "RemediationRoleEnableEncryptionForSNSTopicMemberAccountRoleA4EF5A6E": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableEncryptionForSNSTopic-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableDeliveryStatusLoggingForSNSTopicF426D24F": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "sns:SetTopicAttributes", "sns:GetTopicAttributes" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "iam:GetRole", "iam:PassRole" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "SNS2DeliveryStatusLoggingRole8CA29B1D", "Arn" ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableDeliveryStatusLoggingForSNSTopicF426D24F", "Roles": [ { "Ref": "RemediationRoleEnableDeliveryStatusLoggingForSNSTopicMemberAccountRoleCF9E61FE" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "SNS2DeliveryStatusLoggingRoleDeliveryStatusLoggingPolicy4C4F6343": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:PutMetricFilter", "logs:PutRetentionPolicy" ], "Effect": "Allow", "Resource": "*", "Sid": "EnableDeliveryStatusLoggingForSNSTopic" } ], "Version": "2012-10-17" }, "PolicyName": "SNS2DeliveryStatusLoggingRoleDeliveryStatusLoggingPolicy4C4F6343", "Roles": [ { "Ref": "SNS2DeliveryStatusLoggingRole8CA29B1D" } ] }, "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "reason": "Resource * is required to allow delivery status logging for any topic.", "id": "AwsSolutions-IAM5" } ] } } }, "SNS2DeliveryStatusLoggingRole8CA29B1D": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "sns.amazonaws.com" } } ], "Version": "2012-10-17" }, "Description": "Role automatically created by ASR for remediation of SNS.2 findings. \n This role is retained after the solution is deleted to support continuing function \n of SNS delivery status logging enabled by this remediation. Before removing this \n role, use IAM access analyzer for confirming it's safe", "RoleName": { "Fn::Join": [ "", [ "SO0111-SNS2DeliveryStatusLogging-remediationRole-", { "Ref": "Namespace" } ] ] }, "Tags": [ { "Key": "SO0111", "Value": "RetainedRole" } ] }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required to allow delivery status logging for any topic." } ] }, "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } } }, "RemediationRoleEnableDeliveryStatusLoggingForSNSTopicSHARRMemberBasePolicyB5BB9F17": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableDeliveryStatusLoggingForSNSTopic-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-EnableDeliveryStatusLoggingForSNSTopic-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableDeliveryStatusLoggingForSNSTopic-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableDeliveryStatusLoggingForSNSTopicSHARRMemberBasePolicyB5BB9F17", "Roles": [ { "Ref": "RemediationRoleEnableDeliveryStatusLoggingForSNSTopicMemberAccountRoleCF9E61FE" } ] } }, "RemediationRoleEnableDeliveryStatusLoggingForSNSTopicMemberAccountRoleCF9E61FE": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableDeliveryStatusLoggingForSNSTopic-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyDisablePublicIPAutoAssign992332FF": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ec2:DescribeSubnets", "ec2:ModifySubnetAttribute" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyDisablePublicIPAutoAssign992332FF", "Roles": [ { "Ref": "RemediationRoleDisablePublicIPAutoAssignMemberAccountRoleFEEDBF8B" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleDisablePublicIPAutoAssignSHARRMemberBasePolicy3E997D42": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-DisablePublicIPAutoAssign-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-DisablePublicIPAutoAssign-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-DisablePublicIPAutoAssign-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleDisablePublicIPAutoAssignSHARRMemberBasePolicy3E997D42", "Roles": [ { "Ref": "RemediationRoleDisablePublicIPAutoAssignMemberAccountRoleFEEDBF8B" } ] } }, "RemediationRoleDisablePublicIPAutoAssignMemberAccountRoleFEEDBF8B": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-DisablePublicIPAutoAssign-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableIMDSV2OnInstance33B34528": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ec2:DescribeInstances", "ec2:ModifyInstanceMetadataOptions" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableIMDSV2OnInstance33B34528", "Roles": [ { "Ref": "RemediationRoleEnableIMDSV2OnInstanceMemberAccountRole8957BF7F" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleEnableIMDSV2OnInstanceSHARRMemberBasePolicy8C39DF27": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableIMDSV2OnInstance-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-EnableIMDSV2OnInstance-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableIMDSV2OnInstance-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableIMDSV2OnInstanceSHARRMemberBasePolicy8C39DF27", "Roles": [ { "Ref": "RemediationRoleEnableIMDSV2OnInstanceMemberAccountRole8957BF7F" } ] } }, "RemediationRoleEnableIMDSV2OnInstanceMemberAccountRole8957BF7F": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableIMDSV2OnInstance-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyRemoveCodeBuildPrivilegedModeF4DE6F07": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "codebuild:BatchGetProjects", "codebuild:UpdateProject" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyRemoveCodeBuildPrivilegedModeF4DE6F07", "Roles": [ { "Ref": "RemediationRoleRemoveCodeBuildPrivilegedModeMemberAccountRoleFAE52D4A" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleRemoveCodeBuildPrivilegedModeSHARRMemberBasePolicy802D7343": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-RemoveCodeBuildPrivilegedMode-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-RemoveCodeBuildPrivilegedMode-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-RemoveCodeBuildPrivilegedMode-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleRemoveCodeBuildPrivilegedModeSHARRMemberBasePolicy802D7343", "Roles": [ { "Ref": "RemediationRoleRemoveCodeBuildPrivilegedModeMemberAccountRoleFAE52D4A" } ] } }, "RemediationRoleRemoveCodeBuildPrivilegedModeMemberAccountRoleFAE52D4A": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-RemoveCodeBuildPrivilegedMode-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableCloudFrontDefaultRootObjectB01B99AC": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "cloudfront:GetDistributionConfig", "cloudfront:UpdateDistribution" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableCloudFrontDefaultRootObjectB01B99AC", "Roles": [ { "Ref": "RemediationRoleEnableCloudFrontDefaultRootObjectMemberAccountRole52E30D4D" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleEnableCloudFrontDefaultRootObjectSHARRMemberBasePolicy6629B024": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableCloudFrontDefaultRootObject-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-EnableCloudFrontDefaultRootObject-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableCloudFrontDefaultRootObject-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableCloudFrontDefaultRootObjectSHARRMemberBasePolicy6629B024", "Roles": [ { "Ref": "RemediationRoleEnableCloudFrontDefaultRootObjectMemberAccountRole52E30D4D" } ] } }, "RemediationRoleEnableCloudFrontDefaultRootObjectMemberAccountRole52E30D4D": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableCloudFrontDefaultRootObject-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyBlockSSMDocumentPublicAccess2B816E49": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:DescribeDocumentPermission", "ssm:ModifyDocumentPermission" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyBlockSSMDocumentPublicAccess2B816E49", "Roles": [ { "Ref": "RemediationRoleBlockSSMDocumentPublicAccessMemberAccountRoleC8F76AE9" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleBlockSSMDocumentPublicAccessSHARRMemberBasePolicy2E84D0B3": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-BlockSSMDocumentPublicAccess-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-BlockSSMDocumentPublicAccess-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-BlockSSMDocumentPublicAccess-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleBlockSSMDocumentPublicAccessSHARRMemberBasePolicy2E84D0B3", "Roles": [ { "Ref": "RemediationRoleBlockSSMDocumentPublicAccessMemberAccountRoleC8F76AE9" } ] } }, "RemediationRoleBlockSSMDocumentPublicAccessMemberAccountRoleC8F76AE9": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-BlockSSMDocumentPublicAccess-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyAttachSSMPermissionsToEC200DF3702": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-AttachSSMPermissionsToEC2-RemediationRole-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "iam:GetRole", "iam:GetInstanceProfile", "iam:ListAttachedRolePolicies", "iam:AttachRolePolicy", "iam:ListRolePolicies", "iam:AddRoleToInstanceProfile" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":instance-profile/*" ] ] } ] }, { "Action": [ "ec2:DescribeIamInstanceProfileAssociations", "ec2:AssociateIamInstanceProfile" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ec2:*:", { "Ref": "AWS::AccountId" }, ":instance/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyAttachSSMPermissionsToEC200DF3702", "Roles": [ { "Ref": "RemediationRoleAttachSSMPermissionsToEC2MemberAccountRole3C1CAE9D" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required to allow remediation of any EC2 instances." } ] } } }, "RemediationRoleAttachSSMPermissionsToEC2SHARRMemberBasePolicyAAB73901": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-AttachSSMPermissionsToEC2-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-AttachSSMPermissionsToEC2-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-AttachSSMPermissionsToEC2-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleAttachSSMPermissionsToEC2SHARRMemberBasePolicyAAB73901", "Roles": [ { "Ref": "RemediationRoleAttachSSMPermissionsToEC2MemberAccountRole3C1CAE9D" } ] } }, "RemediationRoleAttachSSMPermissionsToEC2MemberAccountRole3C1CAE9D": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-AttachSSMPermissionsToEC2-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "AttachSSMPermissionsToEC2remediationrole695BE4E5": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/AmazonSSMManagedInstanceCore" ] ] } ], "RoleName": { "Fn::Join": [ "", [ "SO0111-AttachSSMPermissionsToEC2-RemediationRole-", { "Ref": "Namespace" } ] ] } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "reason": "AWS Managed policy AmazonSSMManagedInstanceCore is required by SSM to automatically manage EC2 Instances.", "id": "AwsSolutions-IAM4" } ] }, "guard": { "SuppressedRules": [ "CFN_NO_EXPLICIT_RESOURCE_NAMES" ] } } }, "AttachSSMPermissionsToEC2instanceprofileE438BA1D": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "InstanceProfileName": { "Fn::Join": [ "", [ "SO0111-AttachSSMPermissionsToEC2-InstanceProfile-", { "Ref": "Namespace" } ] ] }, "Roles": [ { "Ref": "AttachSSMPermissionsToEC2remediationrole695BE4E5" } ] }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain" }, "ASRRemediationPolicyAttachServiceVPCEndpoint84A124F9": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ec2:CreateVpcEndpoint", "ec2:DescribeVpcAttribute" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ec2:*:", { "Ref": "AWS::AccountId" }, ":vpc/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ec2:*:", { "Ref": "AWS::AccountId" }, ":vpc-endpoint/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ec2:*:", { "Ref": "AWS::AccountId" }, ":subnet/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ec2:*:", { "Ref": "AWS::AccountId" }, ":security-group/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ec2:*:", { "Ref": "AWS::AccountId" }, ":route-table/*" ] ] } ] }, { "Action": "route53:AssociateVPCWithHostedZone", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":route53:::hostedzone/*" ] ] } }, { "Action": [ "ec2:DescribeSubnets", "ec2:DescribeVpcs" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyAttachServiceVPCEndpoint84A124F9", "Roles": [ { "Ref": "RemediationRoleAttachServiceVPCEndpointMemberAccountRole6AF8EBD9" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required to list all VPC subnets." } ] } } }, "RemediationRoleAttachServiceVPCEndpointSHARRMemberBasePolicyF25C6FB7": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-AttachServiceVPCEndpoint-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-AttachServiceVPCEndpoint-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-AttachServiceVPCEndpoint-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleAttachServiceVPCEndpointSHARRMemberBasePolicyF25C6FB7", "Roles": [ { "Ref": "RemediationRoleAttachServiceVPCEndpointMemberAccountRole6AF8EBD9" } ] } }, "RemediationRoleAttachServiceVPCEndpointMemberAccountRole6AF8EBD9": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-AttachServiceVPCEndpoint-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableBucketEventNotifications82104223": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetBucketNotification", "s3:PutBucketNotification", "sns:CreateTopic", "sns:GetTopicAttributes", "sns:SetTopicAttributes" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableBucketEventNotifications82104223", "Roles": [ { "Ref": "RemediationRoleEnableBucketEventNotificationsMemberAccountRole8F25C546" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleEnableBucketEventNotificationsSHARRMemberBasePolicy5CD4A883": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableBucketEventNotifications-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-EnableBucketEventNotifications-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableBucketEventNotifications-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableBucketEventNotificationsSHARRMemberBasePolicy5CD4A883", "Roles": [ { "Ref": "RemediationRoleEnableBucketEventNotificationsMemberAccountRole8F25C546" } ] } }, "RemediationRoleEnableBucketEventNotificationsMemberAccountRole8F25C546": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableBucketEventNotifications-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicySetCloudFrontOriginDomain64A49EDE": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "cloudfront:UpdateDistribution", "cloudfront:GetDistributionConfig" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":cloudfront::", { "Ref": "AWS::AccountId" }, ":distribution/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicySetCloudFrontOriginDomain64A49EDE", "Roles": [ { "Ref": "RemediationRoleSetCloudFrontOriginDomainMemberAccountRoleCE84BD55" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleSetCloudFrontOriginDomainSHARRMemberBasePolicy5AF92DA5": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SetCloudFrontOriginDomain-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-SetCloudFrontOriginDomain-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SetCloudFrontOriginDomain-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleSetCloudFrontOriginDomainSHARRMemberBasePolicy5AF92DA5", "Roles": [ { "Ref": "RemediationRoleSetCloudFrontOriginDomainMemberAccountRoleCE84BD55" } ] } }, "RemediationRoleSetCloudFrontOriginDomainMemberAccountRoleCE84BD55": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-SetCloudFrontOriginDomain-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyDisableUnrestrictedAccessToHighRiskPortsB2871524": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ec2:DescribeSecurityGroupRules", "ec2:RevokeSecurityGroupIngress" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyDisableUnrestrictedAccessToHighRiskPortsB2871524", "Roles": [ { "Ref": "RemediationRoleDisableUnrestrictedAccessToHighRiskPortsMemberAccountRole4FB39E11" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleDisableUnrestrictedAccessToHighRiskPortsSHARRMemberBasePolicy1E31B945": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-DisableUnrestrictedAccessToHighRiskPorts-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-DisableUnrestrictedAccessToHighRiskPorts-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-DisableUnrestrictedAccessToHighRiskPorts-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleDisableUnrestrictedAccessToHighRiskPortsSHARRMemberBasePolicy1E31B945", "Roles": [ { "Ref": "RemediationRoleDisableUnrestrictedAccessToHighRiskPortsMemberAccountRole4FB39E11" } ] } }, "RemediationRoleDisableUnrestrictedAccessToHighRiskPortsMemberAccountRole4FB39E11": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-DisableUnrestrictedAccessToHighRiskPorts-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnablePrivateRepositoryScanning4D22B2EE": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "ecr:PutImageScanningConfiguration", "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnablePrivateRepositoryScanning4D22B2EE", "Roles": [ { "Ref": "RemediationRoleEnablePrivateRepositoryScanningMemberAccountRole1481CC5D" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleEnablePrivateRepositoryScanningSHARRMemberBasePolicy190A8C0C": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnablePrivateRepositoryScanning-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-EnablePrivateRepositoryScanning-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnablePrivateRepositoryScanning-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnablePrivateRepositoryScanningSHARRMemberBasePolicy190A8C0C", "Roles": [ { "Ref": "RemediationRoleEnablePrivateRepositoryScanningMemberAccountRole1481CC5D" } ] } }, "RemediationRoleEnablePrivateRepositoryScanningMemberAccountRole1481CC5D": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnablePrivateRepositoryScanning-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicySetS3LifecyclePolicy7F4C0192": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:PutLifecycleConfiguration", "s3:GetLifecycleConfiguration" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicySetS3LifecyclePolicy7F4C0192", "Roles": [ { "Ref": "RemediationRoleSetS3LifecyclePolicyMemberAccountRole96385FD0" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleSetS3LifecyclePolicySHARRMemberBasePolicy92C3BE10": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SetS3LifecyclePolicy-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-SetS3LifecyclePolicy-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SetS3LifecyclePolicy-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleSetS3LifecyclePolicySHARRMemberBasePolicy92C3BE10", "Roles": [ { "Ref": "RemediationRoleSetS3LifecyclePolicyMemberAccountRole96385FD0" } ] } }, "RemediationRoleSetS3LifecyclePolicyMemberAccountRole96385FD0": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-SetS3LifecyclePolicy-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyUpdateSecretRotationPeriod8B602083": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "secretsmanager:RotateSecret", "secretsmanager:DescribeSecret" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyUpdateSecretRotationPeriod8B602083", "Roles": [ { "Ref": "RemediationRoleUpdateSecretRotationPeriodMemberAccountRole3061BFB8" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleUpdateSecretRotationPeriodSHARRMemberBasePolicyEEE4A6DB": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-UpdateSecretRotationPeriod-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-UpdateSecretRotationPeriod-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-UpdateSecretRotationPeriod-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleUpdateSecretRotationPeriodSHARRMemberBasePolicyEEE4A6DB", "Roles": [ { "Ref": "RemediationRoleUpdateSecretRotationPeriodMemberAccountRole3061BFB8" } ] } }, "RemediationRoleUpdateSecretRotationPeriodMemberAccountRole3061BFB8": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-UpdateSecretRotationPeriod-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyDisableTGWAutoAcceptSharedAttachmentsA2E0FB90": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ec2:ModifyTransitGateway", "ec2:DescribeTransitGateways" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyDisableTGWAutoAcceptSharedAttachmentsA2E0FB90", "Roles": [ { "Ref": "RemediationRoleDisableTGWAutoAcceptSharedAttachmentsMemberAccountRole587194E6" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleDisableTGWAutoAcceptSharedAttachmentsSHARRMemberBasePolicy7630D74C": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-DisableTGWAutoAcceptSharedAttachments-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-DisableTGWAutoAcceptSharedAttachments-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-DisableTGWAutoAcceptSharedAttachments-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleDisableTGWAutoAcceptSharedAttachmentsSHARRMemberBasePolicy7630D74C", "Roles": [ { "Ref": "RemediationRoleDisableTGWAutoAcceptSharedAttachmentsMemberAccountRole587194E6" } ] } }, "RemediationRoleDisableTGWAutoAcceptSharedAttachmentsMemberAccountRole587194E6": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-DisableTGWAutoAcceptSharedAttachments-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableGuardDuty90C5632A": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "guardduty:ListDetectors", "guardduty:CreateDetector", "guardduty:GetDetector", "guardduty:UpdateDetector" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableGuardDuty90C5632A", "Roles": [ { "Ref": "RemediationRoleEnableGuardDutyMemberAccountRoleAB2BC065" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleEnableGuardDutySHARRMemberBasePolicy360C4A3D": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableGuardDuty-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-EnableGuardDuty-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableGuardDuty-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableGuardDutySHARRMemberBasePolicy360C4A3D", "Roles": [ { "Ref": "RemediationRoleEnableGuardDutyMemberAccountRoleAB2BC065" } ] } }, "RemediationRoleEnableGuardDutyMemberAccountRoleAB2BC065": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableGuardDuty-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyTagGuardDutyResourceF88101FE": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "guardduty:TagResource", "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":guardduty:*:*:detector/*/filter/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":guardduty:*:*:detector/*" ] ] } ] } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyTagGuardDutyResourceF88101FE", "Roles": [ { "Ref": "RemediationRoleTagGuardDutyResourceMemberAccountRole6D195F98" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleTagGuardDutyResourceSHARRMemberBasePolicy6136DA16": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-TagGuardDutyResource-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-TagGuardDutyResource-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-TagGuardDutyResource-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleTagGuardDutyResourceSHARRMemberBasePolicy6136DA16", "Roles": [ { "Ref": "RemediationRoleTagGuardDutyResourceMemberAccountRole6D195F98" } ] } }, "RemediationRoleTagGuardDutyResourceMemberAccountRole6D195F98": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-TagGuardDutyResource-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableAutoSecretRotation7CF2A230": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "secretsmanager:RotateSecret", "secretsmanager:DescribeSecret" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableAutoSecretRotation7CF2A230", "Roles": [ { "Ref": "RemediationRoleEnableAutoSecretRotationMemberAccountRole2D3881E8" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleEnableAutoSecretRotationSHARRMemberBasePolicy88DFA8CF": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableAutoSecretRotation-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-EnableAutoSecretRotation-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableAutoSecretRotation-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableAutoSecretRotationSHARRMemberBasePolicy88DFA8CF", "Roles": [ { "Ref": "RemediationRoleEnableAutoSecretRotationMemberAccountRole2D3881E8" } ] } }, "RemediationRoleEnableAutoSecretRotationMemberAccountRole2D3881E8": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableAutoSecretRotation-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyRevokeUnauthorizedInboundRules8076314E": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ec2:DescribeSecurityGroupRules", "ec2:RevokeSecurityGroupIngress" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyRevokeUnauthorizedInboundRules8076314E", "Roles": [ { "Ref": "RemediationRoleRevokeUnauthorizedInboundRulesMemberAccountRoleFB22E2D5" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleRevokeUnauthorizedInboundRulesSHARRMemberBasePolicyF1A59088": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-RevokeUnauthorizedInboundRules-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-RevokeUnauthorizedInboundRules-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-RevokeUnauthorizedInboundRules-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleRevokeUnauthorizedInboundRulesSHARRMemberBasePolicyF1A59088", "Roles": [ { "Ref": "RemediationRoleRevokeUnauthorizedInboundRulesMemberAccountRoleFB22E2D5" } ] } }, "RemediationRoleRevokeUnauthorizedInboundRulesMemberAccountRoleFB22E2D5": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-RevokeUnauthorizedInboundRules-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyRemoveUnusedSecret692D8382": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "secretsmanager:DeleteSecret", "secretsmanager:DescribeSecret" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyRemoveUnusedSecret692D8382", "Roles": [ { "Ref": "RemediationRoleRemoveUnusedSecretMemberAccountRole50B9F743" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleRemoveUnusedSecretSHARRMemberBasePolicyA8B3817B": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-RemoveUnusedSecret-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-RemoveUnusedSecret-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-RemoveUnusedSecret-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleRemoveUnusedSecretSHARRMemberBasePolicyA8B3817B", "Roles": [ { "Ref": "RemediationRoleRemoveUnusedSecretMemberAccountRole50B9F743" } ] } }, "RemediationRoleRemoveUnusedSecretMemberAccountRole50B9F743": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-RemoveUnusedSecret-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicySetLogGroupRetentionDaysD37C9B44": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "logs:PutRetentionPolicy", "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicySetLogGroupRetentionDaysD37C9B44", "Roles": [ { "Ref": "RemediationRoleSetLogGroupRetentionDaysMemberAccountRole5C9CEFCF" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleSetLogGroupRetentionDaysSHARRMemberBasePolicyC59FA897": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SetLogGroupRetentionDays-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-SetLogGroupRetentionDays-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SetLogGroupRetentionDays-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleSetLogGroupRetentionDaysSHARRMemberBasePolicyC59FA897", "Roles": [ { "Ref": "RemediationRoleSetLogGroupRetentionDaysMemberAccountRole5C9CEFCF" } ] } }, "RemediationRoleSetLogGroupRetentionDaysMemberAccountRole5C9CEFCF": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-SetLogGroupRetentionDays-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyTerminateEC2Instance4F038AA0": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ec2:TerminateInstances", "ec2:DescribeInstanceStatus" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyTerminateEC2Instance4F038AA0", "Roles": [ { "Ref": "RemediationRoleTerminateEC2InstanceMemberAccountRoleE3F5E615" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleTerminateEC2InstanceSHARRMemberBasePolicyBB17C511": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-TerminateEC2Instance-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-TerminateEC2Instance-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-TerminateEC2Instance-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleTerminateEC2InstanceSHARRMemberBasePolicyBB17C511", "Roles": [ { "Ref": "RemediationRoleTerminateEC2InstanceMemberAccountRoleE3F5E615" } ] } }, "RemediationRoleTerminateEC2InstanceMemberAccountRoleE3F5E615": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-TerminateEC2Instance-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableAPIGatewayCacheDataEncryption73A0EA08": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "apigateway:PATCH", "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableAPIGatewayCacheDataEncryption73A0EA08", "Roles": [ { "Ref": "RemediationRoleEnableAPIGatewayCacheDataEncryptionMemberAccountRole8DDCC03A" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleEnableAPIGatewayCacheDataEncryptionSHARRMemberBasePolicyE941F902": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableAPIGatewayCacheDataEncryption-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-EnableAPIGatewayCacheDataEncryption-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableAPIGatewayCacheDataEncryption-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableAPIGatewayCacheDataEncryptionSHARRMemberBasePolicyE941F902", "Roles": [ { "Ref": "RemediationRoleEnableAPIGatewayCacheDataEncryptionMemberAccountRole8DDCC03A" } ] } }, "RemediationRoleEnableAPIGatewayCacheDataEncryptionMemberAccountRole8DDCC03A": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableAPIGatewayCacheDataEncryption-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyConfigureAutoScalingLaunchConfigToRequireIMDSv2079F73E2": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "iam:GetRole", "iam:PassRole" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/AmazonSSMRoleForInstancesQuickSetup" ] ] } }, { "Action": [ "autoscaling:UpdateAutoScalingGroup", "autoscaling:CreateLaunchConfiguration", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DeleteLaunchConfiguration" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyConfigureAutoScalingLaunchConfigToRequireIMDSv2079F73E2", "Roles": [ { "Ref": "RemediationRoleConfigureAutoScalingLaunchConfigToRequireIMDSv2MemberAccountRole28FA7ABE" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleConfigureAutoScalingLaunchConfigToRequireIMDSv2SHARRMemberBasePolicy9E29DACD": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ConfigureAutoScalingLaunchConfigToRequireIMDSv2-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-ConfigureAutoScalingLaunchConfigToRequireIMDSv2-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ConfigureAutoScalingLaunchConfigToRequireIMDSv2-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleConfigureAutoScalingLaunchConfigToRequireIMDSv2SHARRMemberBasePolicy9E29DACD", "Roles": [ { "Ref": "RemediationRoleConfigureAutoScalingLaunchConfigToRequireIMDSv2MemberAccountRole28FA7ABE" } ] } }, "RemediationRoleConfigureAutoScalingLaunchConfigToRequireIMDSv2MemberAccountRole28FA7ABE": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-ConfigureAutoScalingLaunchConfigToRequireIMDSv2-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyConfigureAutoScalingLaunchConfigNoPublicIP9F64AA21": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "iam:GetRole", "iam:PassRole" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/AmazonSSMRoleForInstancesQuickSetup" ] ] } }, { "Action": [ "autoscaling:UpdateAutoScalingGroup", "autoscaling:CreateLaunchConfiguration", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DeleteLaunchConfiguration" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyConfigureAutoScalingLaunchConfigNoPublicIP9F64AA21", "Roles": [ { "Ref": "RemediationRoleConfigureAutoScalingLaunchConfigNoPublicIPMemberAccountRoleAD7193E6" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource * is required for to allow remediation for any resource." } ] } } }, "RemediationRoleConfigureAutoScalingLaunchConfigNoPublicIPSHARRMemberBasePolicy3617042A": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ConfigureAutoScalingLaunchConfigNoPublicIP-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-ConfigureAutoScalingLaunchConfigNoPublicIP-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-ConfigureAutoScalingLaunchConfigNoPublicIP-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleConfigureAutoScalingLaunchConfigNoPublicIPSHARRMemberBasePolicy3617042A", "Roles": [ { "Ref": "RemediationRoleConfigureAutoScalingLaunchConfigNoPublicIPMemberAccountRoleAD7193E6" } ] } }, "RemediationRoleConfigureAutoScalingLaunchConfigNoPublicIPMemberAccountRoleAD7193E6": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-ConfigureAutoScalingLaunchConfigNoPublicIP-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableMacie1038F1C7": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "macie2:EnableMacie", "Effect": "Allow", "Resource": "*" }, { "Action": [ "iam:CreateServiceLinkedRole", "iam:AttachRolePolicy", "iam:PutRolePolicy" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableMacie1038F1C7", "Roles": [ { "Ref": "RemediationRoleEnableMacieMemberAccountRole5538535C" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource wildcard (*) is required by the EnableMacie API." } ] } } }, "RemediationRoleEnableMacieSHARRMemberBasePolicy92EFAA4C": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableMacie-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-EnableMacie-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableMacie-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableMacieSHARRMemberBasePolicy92EFAA4C", "Roles": [ { "Ref": "RemediationRoleEnableMacieMemberAccountRole5538535C" } ] } }, "RemediationRoleEnableMacieMemberAccountRole5538535C": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableMacie-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableAPIGatewayExecutionLogs047A2AE2": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "apigateway:PATCH", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":apigateway:", { "Ref": "AWS::Region" }, "::/restapis/*/stages/*" ] ] } }, { "Action": [ "apigateway:PATCH", "apigateway:GET" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":apigateway:", { "Ref": "AWS::Region" }, "::/apis/*/stages/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableAPIGatewayExecutionLogs047A2AE2", "Roles": [ { "Ref": "RemediationRoleEnableAPIGatewayExecutionLogsMemberAccountRole1B8CCCD4" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource wildcard (*) is required to update any API Stage in the member account." } ] } } }, "RemediationRoleEnableAPIGatewayExecutionLogsSHARRMemberBasePolicyDD901BF7": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableAPIGatewayExecutionLogs-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-EnableAPIGatewayExecutionLogs-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableAPIGatewayExecutionLogs-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableAPIGatewayExecutionLogsSHARRMemberBasePolicyDD901BF7", "Roles": [ { "Ref": "RemediationRoleEnableAPIGatewayExecutionLogsMemberAccountRole1B8CCCD4" } ] } }, "RemediationRoleEnableAPIGatewayExecutionLogsMemberAccountRole1B8CCCD4": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableAPIGatewayExecutionLogs-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } }, "ASRRemediationPolicyEnableAthenaWorkGroupLogging4573805D": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "athena:UpdateWorkGroup", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":athena:*:", { "Ref": "AWS::AccountId" }, ":workgroup/*" ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "ASRRemediationPolicyEnableAthenaWorkGroupLogging4573805D", "Roles": [ { "Ref": "RemediationRoleEnableAthenaWorkGroupLoggingMemberAccountRole5BCA3A47" } ] }, "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W12", "reason": "Resource wildcard (*) is required to update any Athena Work Group in the member account." } ] } } }, "RemediationRoleEnableAthenaWorkGroupLoggingSHARRMemberBasePolicyED0B4E30": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:PutParameter" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":parameter/Solutions/SO0111/*" ] ] } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableAthenaWorkGroupLogging-", { "Ref": "Namespace" } ] ] } }, { "Action": [ "ssm:StartAutomationExecution", "ssm:GetAutomationExecution", "ssm:DescribeAutomationStepExecutions" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":document/Solutions/SHARR-SO0111-EnableAthenaWorkGroupLogging-", { "Ref": "Namespace" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*::automation-definition/*" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":ssm:*:", { "Ref": "AWS::AccountId" }, ":automation-execution/*" ] ] } ] }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-EnableAthenaWorkGroupLogging-", { "Ref": "Namespace" } ] ] } } ], "Version": "2012-10-17" }, "PolicyName": "RemediationRoleEnableAthenaWorkGroupLoggingSHARRMemberBasePolicyED0B4E30", "Roles": [ { "Ref": "RemediationRoleEnableAthenaWorkGroupLoggingMemberAccountRole5BCA3A47" } ] } }, "RemediationRoleEnableAthenaWorkGroupLoggingMemberAccountRole5BCA3A47": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":role/SO0111-SHARR-Orchestrator-Member" ] ] } } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root" ] ] } } } ], "Version": "2012-10-17" }, "RoleName": { "Fn::Join": [ "", [ "SO0111-EnableAthenaWorkGroupLogging-", { "Ref": "Namespace" } ] ] } }, "DependsOn": [ "OrchestratorMemberRoleMemberAccountRoleBE9AD9D5" ], "Metadata": { "cfn_nag": { "rules_to_suppress": [ { "id": "W11", "reason": "Resource * is required due to the administrative nature of the solution." }, { "id": "W28", "reason": "Static names chosen intentionally to provide integration in cross-account permissions" } ] } } } } }