account.yaml

AWSTemplateFormatVersion: "2010-09-09"
Description: Allows Fugue to check this account for security and compliance
Parameters:
  RoleName:
    Type: String
    Description: Name of the IAM role to create for Fugue
  FugueAccountId:
    Type: String
    Description: Fugue AWS account ID
  FugueExternalId:
    Type: String
    Description: External ID associated with your Fugue account
Resources:
  FugueRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Ref RoleName
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              AWS: !Join [ ":", [ "arn:aws:iam:", !Ref FugueAccountId, "role/generate-credentials" ] ]
            Action: "sts:AssumeRole"
            Condition:
              StringEquals:
                "sts:ExternalId": !Ref FugueExternalId
      Policies:
        - PolicyName: Fugue
          PolicyDocument: {
            "Version": "2012-10-17",
            "Statement": [
              {
                "Sid": "0",
                "Effect": "Allow",
                "Resource": "*",
                "Action": [
                  "acm-pca:DescribeCertificateAuthority",
                  "acm-pca:GetCertificateAuthorityCertificate",
                  "acm-pca:GetCertificateAuthorityCsr",
                  "acm-pca:ListCertificateAuthorities",
                  "acm-pca:ListTags",
                  "apigateway:GET",
                  "cloudwatch:GetDashboard",
                  "cloudwatch:ListDashboards",
                  "cloudwatch:ListTagsForResource",
                  "cognito-idp:DescribeIdentityProvider",
                  "cognito-idp:DescribeResourceServer",
                  "cognito-idp:DescribeUserPool",
                  "cognito-idp:DescribeUserPoolClient",
                  "cognito-idp:DescribeUserPoolDomain",
                  "cognito-idp:GetGroup",
                  "cognito-idp:ListGroups",
                  "cognito-idp:ListIdentityProviders",
                  "cognito-idp:ListResourceServers",
                  "cognito-idp:ListUserPoolClients",
                  "ds:DescribeConditionalForwarders",
                  "ds:ListTagsForResource",
                  "dynamodb:ListTagsOfResource",
                  "ecr:ListTagsForResource",
                  "elasticache:ListTagsForResource",
                  "elasticfilesystem:DescribeLifecycleConfiguration",
                  "elasticfilesystem:DescribeTags",
                  "glacier:GetVaultNotifications",
                  "glacier:ListTagsForVault",
                  "kinesis:DescribeStreamSummary",
                  "lambda:GetAlias",
                  "lambda:GetEventSourceMapping",
                  "lambda:GetFunction",
                  "macie:ListMemberAccounts",
                  "macie:ListS3Resources",
                  "mediastore:DescribeContainer",
                  "mediastore:ListTagsForResource",
                  "secretsmanager:DescribeSecret",
                  "sns:GetSubscriptionAttributes",
                  "sns:ListSubscriptions",
                  "sns:ListTagsForResource",
                  "ssm:GetDocument",
                  "ssm:GetMaintenanceWindow",
                  "ssm:GetMaintenanceWindowTask",
                  "ssm:GetParameter",
                  "ssm:GetParameters",
                  "ssm:GetPatchBaseline",
                  "ssm:ListAssociations",
                  "ssm:ListResourceDataSync",
                  "ssm:ListTagsForResource",
                  "states:DescribeStateMachine",
                  "states:ListTagsForResource",
                  "waf:GetLoggingConfiguration",
                  "waf:GetWebACL",
                  "waf:ListTagsForResource"
                ]
              }
            ]
          }
      ManagedPolicyArns: ["arn:aws:iam::aws:policy/SecurityAudit"]

Outputs:
  FugueRoleArn:
    Description: IAM Role for Fugue
    Value: !GetAtt FugueRole.Arn
    Export:
      Name: !Join [ ":", [ !Ref "AWS::StackName", FugueRoleArn ] ]