-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathWARToolRoleTemplate.yaml
59 lines (56 loc) · 2.06 KB
/
WARToolRoleTemplate.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
---
AWSTemplateFormatVersion: "2010-09-09"
Description: >
"This Role grants 1Strategy the ability to create, list, and get workloads in the
Well Architected Review Tool and run Trusted Advisor in the customer's account
This Role does not allow 1Strategy to access to other resources in the customer's account."
Parameters:
TrustedAccount:
Type: Number
Description: 1Strategy Account Id. Engineers will assume the IAM Role in your account from this AWS account.
MinValue: 100000000000
MaxValue: 999999999999
Default: '494090490970'
NoEcho: true
Resources:
WellArchitectedReviewToolRole:
Type: AWS::IAM::Role
Properties:
RoleName: WellArchitectedReviewToolRole
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
AWS: !Ref TrustedAccount
Action:
- "sts:AssumeRole"
Condition:
BoolIfExists:
aws:MultiFactorAuthPresent: "true"
Policies:
- PolicyName: "Well-Architected-Review-Tool-Policy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: wellarchitected
Effect: Allow
Action:
- wellarchitected:*
Resource: "*"
- Sid: AllowTrustedAdvisorChecks
Effect: Allow
Action:
- trustedadvisor:DescribeCheckRefreshStatuses,
- trustedadvisor:DescribeCheckSummaries,
- trustedadvisor:ExcludeCheckItems,
- trustedadvisor:IncludeCheckItems,
- trustedadvisor:RefreshCheck,
- trustedadvisor:DescribeCheckItems
Resource: arn:aws:trustedadvisor:*:*:checks/*/*
- Sid: AllowTrustedAdvisorAcct
Effect: Allow
Action:
- trustedadvisor:DescribeAccountAccess,
- trustedadvisor:DescribeNotificationPreferences
Resource: "*"