-
Notifications
You must be signed in to change notification settings - Fork 0
/
EnableGuardDuty.yaml
66 lines (64 loc) · 2.09 KB
/
EnableGuardDuty.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
AWSTemplateFormatVersion: 2010-09-09
Description: Creates a new role to allow an administrator account to enable and manage GuardDuty.
Parameters:
AdministratorAccountId:
Type: String
Description: AWS Account Id of the administrator account (the account in which will recieve GuardDuty findings from member accounts).
MaxLength: 12
MinLength: 12
CreateInstanceRole:
Type: String
Description: Select Yes to create an EC2 instance role that can be attached to an instnace in the Master account which will allow the instance to assume the exection role. Select No if you plan to run the script locally or are creating the stack in a member account.
AllowedValues: ["Yes", "No"]
Conditions:
CreateInstanceRole: !Equals [!Ref CreateInstanceRole, "Yes"]
Resources:
ExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: ManageGuardDuty
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS:
- !Ref AdministratorAccountId
Action:
- sts:AssumeRole
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonGuardDutyFullAccess
InstanceRole:
Type: AWS::IAM::Role
Condition: CreateInstanceRole
Properties:
RoleName: ManageGuardDutyInstanceRole
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- "ec2.amazonaws.com"
Action:
- "sts:AssumeRole"
Policies:
-
PolicyName: ManageGuardDutyPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action: "sts:AssumeRole"
Resource: !Join ["", ["arn:aws:iam::*:role/",!Ref ExecutionRole]]
InstanceProfile:
Type: AWS::IAM::InstanceProfile
Condition: CreateInstanceRole
Properties:
Path: /
Roles:
- !Ref InstanceRole
InstanceProfileName: EnableGuardDuty