Skip to content

Commit

Permalink
fix(modules): volume access allow KMS installing user
Browse files Browse the repository at this point in the history
  • Loading branch information
cgeers committed Sep 10, 2024
1 parent 2edb270 commit cbe24e2
Showing 1 changed file with 30 additions and 3 deletions.
33 changes: 30 additions & 3 deletions modules/volume_access.cft.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -255,7 +255,8 @@ Resources:
Effect: "Allow"
Principal:
AWS:
- !Sub "arn:aws:iam::${AWS::AccountId}:root"
- !Sub arn:aws:iam::${AWS::AccountId}:root
- !Sub arn:aws:iam::${AWS::AccountId}:role/sysdig-secure-scanning-stackset-execution-${NameSuffix}
Action: "kms:*"
Resource: "*"
ScanningKmsAlias:
Expand Down Expand Up @@ -289,6 +290,8 @@ Resources:
ParameterValue: !Ref TrustedIdentity
- ParameterKey: ExternalID
ParameterValue: !Ref ExternalID
- ParameterKey: AdministrationRoleID
ParameterValue: !GetAtt AdministrationRole.RoleId
StackInstancesGroup:
- DeploymentTargets:
OrganizationalUnitIds: !Ref OrganizationalUnitIDs
Expand All @@ -312,6 +315,9 @@ Resources:
ScanningAccountID:
Type: String
Description: The AWS Account ID of the Sysdig Scanning Account
AdministrationRoleID:
Type: String
Description: The ID of the Administration Role allowed to assume the execution role(s) in the target account
Resources:
ScanningRole:
Type: AWS::IAM::Role
Expand Down Expand Up @@ -394,13 +400,33 @@ Resources:
Condition:
StringEqualsIgnoreCase:
"aws:ResourceTag/CreatedBy": "Sysdig"
ExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub sysdig-secure-scanning-stackset-execution-${NameSuffix}
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS:
- !Ref AdministrationRoleID
Action:
- sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser
- arn:aws:iam::aws:policy/AWSCloudFormationFullAccess
OrganizationKMSKeyStackSet:
Type: AWS::CloudFormation::StackSet
Condition: IsOrganizational
DependsOn:
- OrganizationRoleStackSet
Properties:
StackSetName: !Sub sysdig-secure-scanning-organization-kmskey-${NameSuffix}
Description: IAM Role used to create KMS Keys to scan organization accounts/regions
PermissionModel: SERVICE_MANAGED
AdministrationRoleARN: !GetAtt AdministrationRole.Arn
ExecutionRoleName: !Sub sysdig-secure-scanning-stackset-execution-${NameSuffix}
PermissionModel: SELF_MANAGED
Capabilities:
- "CAPABILITY_NAMED_IAM"
AutoDeployment:
Expand Down Expand Up @@ -464,7 +490,8 @@ Resources:
Effect: "Allow"
Principal:
AWS:
- !Sub "arn:aws:iam::${AWS::AccountId}:root"
- !Sub arn:aws:iam::${AWS::AccountId}:root
- !Sub arn:aws:iam::${AWS::AccountId}:role/sysdig-secure-scanning-stackset-execution-${NameSuffix}
Action: "kms:*"
Resource: "*"
ScanningKmsAlias:
Expand Down

0 comments on commit cbe24e2

Please sign in to comment.