From a4f4417ceb75ae99cfce6f450de2b2b2e9e7c520 Mon Sep 17 00:00:00 2001 From: Christopher Geers Date: Tue, 10 Sep 2024 16:01:50 -0500 Subject: [PATCH] fix(modules): volume access add KMS self management permission --- modules/volume_access.cft.yaml | 38 +++++++++++++++++++++++++++------- 1 file changed, 31 insertions(+), 7 deletions(-) diff --git a/modules/volume_access.cft.yaml b/modules/volume_access.cft.yaml index 4729082..74b7935 100644 --- a/modules/volume_access.cft.yaml +++ b/modules/volume_access.cft.yaml @@ -255,7 +255,8 @@ Resources: Effect: "Allow" Principal: AWS: - - !Sub "arn:aws:iam::${AWS::AccountId}:root" + - !Sub arn:aws:iam::${AWS::AccountId}:root + - !Sub arn:aws:iam::${AWS::AccountId}:role/sysdig-secure-scanning-stackset-execution-${NameSuffix} Action: "kms:*" Resource: "*" ScanningKmsAlias: @@ -289,6 +290,8 @@ Resources: ParameterValue: !Ref TrustedIdentity - ParameterKey: ExternalID ParameterValue: !Ref ExternalID + - ParameterKey: AdministrationRoleID + ParameterValue: !GetAtt AdministrationRole.RoleId StackInstancesGroup: - DeploymentTargets: OrganizationalUnitIds: !Ref OrganizationalUnitIDs @@ -312,6 +315,9 @@ Resources: ScanningAccountID: Type: String Description: The AWS Account ID of the Sysdig Scanning Account + AdministrationRoleID: + Type: String + Description: The ID of the Administration Role allowed to assume the execution role(s) in the target account Resources: ScanningRole: Type: AWS::IAM::Role @@ -394,18 +400,35 @@ Resources: Condition: StringEqualsIgnoreCase: "aws:ResourceTag/CreatedBy": "Sysdig" + ExecutionRole: + Type: AWS::IAM::Role + Properties: + RoleName: !Sub sysdig-secure-scanning-stackset-execution-${NameSuffix} + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + AWS: + - !Ref AdministrationRoleID + Action: + - sts:AssumeRole + ManagedPolicyArns: + - arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser + - arn:aws:iam::aws:policy/AWSCloudFormationFullAccess OrganizationKMSKeyStackSet: Type: AWS::CloudFormation::StackSet Condition: IsOrganizational + DependsOn: + - OrganizationRoleStackSet Properties: StackSetName: !Sub sysdig-secure-scanning-organization-kmskey-${NameSuffix} Description: IAM Role used to create KMS Keys to scan organization accounts/regions - PermissionModel: SERVICE_MANAGED + AdministrationRoleARN: !GetAtt AdministrationRole.Arn + ExecutionRoleName: !Sub sysdig-secure-scanning-stackset-execution-${NameSuffix} + PermissionModel: SELF_MANAGED Capabilities: - - "CAPABILITY_NAMED_IAM" - AutoDeployment: - Enabled: true - RetainStacksOnAccountRemoval: false + - "CAPABILITY_NAMED_IAM" ManagedExecution: Active: true OperationPreferences: @@ -464,7 +487,8 @@ Resources: Effect: "Allow" Principal: AWS: - - !Sub "arn:aws:iam::${AWS::AccountId}:root" + - !Sub arn:aws:iam::${AWS::AccountId}:root + - !Sub arn:aws:iam::${AWS::AccountId}:role/sysdig-secure-scanning-stackset-execution-${NameSuffix} Action: "kms:*" Resource: "*" ScanningKmsAlias: