fix(modules): volume access add KMS self management permission

sysdiglabs · Sep 10, 2024 · a4f4417 · a4f4417
1 parent 2edb270
commit a4f4417
Showing 1 changed file with 31 additions and 7 deletions.
diff --git a/modules/volume_access.cft.yaml b/modules/volume_access.cft.yaml
@@ -255,7 +255,8 @@ Resources:
                   Effect: "Allow"
                   Principal:
                     AWS:
-                    - !Sub "arn:aws:iam::${AWS::AccountId}:root"
+                    - !Sub arn:aws:iam::${AWS::AccountId}:root
+                    - !Sub arn:aws:iam::${AWS::AccountId}:role/sysdig-secure-scanning-stackset-execution-${NameSuffix}
                   Action: "kms:*"
                   Resource: "*"
           ScanningKmsAlias:
@@ -289,6 +290,8 @@ Resources:
         ParameterValue: !Ref TrustedIdentity
       - ParameterKey: ExternalID
         ParameterValue: !Ref ExternalID
+      - ParameterKey: AdministrationRoleID
+        ParameterValue: !GetAtt AdministrationRole.RoleId
       StackInstancesGroup:
       - DeploymentTargets:
           OrganizationalUnitIds: !Ref OrganizationalUnitIDs
@@ -312,6 +315,9 @@ Resources:
           ScanningAccountID:
             Type: String
             Description: The AWS Account ID of the Sysdig Scanning Account
+          AdministrationRoleID:
+            Type: String
+            Description: The ID of the Administration Role allowed to assume the execution role(s) in the target account
         Resources:
           ScanningRole:
             Type: AWS::IAM::Role
@@ -394,18 +400,35 @@ Resources:
                     Condition:
                       StringEqualsIgnoreCase:
                         "aws:ResourceTag/CreatedBy": "Sysdig" 
+          ExecutionRole:
+            Type: AWS::IAM::Role   
+            Properties:
+              RoleName: !Sub sysdig-secure-scanning-stackset-execution-${NameSuffix}
+              AssumeRolePolicyDocument:
+                Version: 2012-10-17
+                Statement:
+                - Effect: Allow
+                  Principal:
+                    AWS:
+                    - !Ref AdministrationRoleID
+                  Action:
+                  - sts:AssumeRole
+              ManagedPolicyArns:
+              - arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser
+              - arn:aws:iam::aws:policy/AWSCloudFormationFullAccess
   OrganizationKMSKeyStackSet:
     Type: AWS::CloudFormation::StackSet
     Condition: IsOrganizational
+    DependsOn:
+    - OrganizationRoleStackSet
     Properties:
       StackSetName: !Sub sysdig-secure-scanning-organization-kmskey-${NameSuffix}
       Description: IAM Role used to create KMS Keys to scan organization accounts/regions
-      PermissionModel: SERVICE_MANAGED
+      AdministrationRoleARN: !GetAtt AdministrationRole.Arn
+      ExecutionRoleName: !Sub sysdig-secure-scanning-stackset-execution-${NameSuffix}
+      PermissionModel: SELF_MANAGED
       Capabilities:
-      - "CAPABILITY_NAMED_IAM"
-      AutoDeployment:
-        Enabled: true
-        RetainStacksOnAccountRemoval: false         
+      - "CAPABILITY_NAMED_IAM"     
       ManagedExecution:
         Active: true        
       OperationPreferences:
@@ -464,7 +487,8 @@ Resources:
                   Effect: "Allow"
                   Principal:
                     AWS:
-                    - !Sub "arn:aws:iam::${AWS::AccountId}:root"
+                    - !Sub arn:aws:iam::${AWS::AccountId}:root
+                    - !Sub arn:aws:iam::${AWS::AccountId}:role/sysdig-secure-scanning-stackset-execution-${NameSuffix}
                   Action: "kms:*"
                   Resource: "*"
           ScanningKmsAlias: