diff --git a/modules/services/trust-relationship/README.md b/modules/services/trust-relationship/README.md index ec0e7b0..9ea16e9 100644 --- a/modules/services/trust-relationship/README.md +++ b/modules/services/trust-relationship/README.md @@ -3,7 +3,9 @@ This module will deploy a Trust Relationship (IAM Role) into a single AWS account, or each account within an AWS Organization. The following resources will be created in each instrumented account: -- An IAM Role and associated IAM Policiy (`arn:aws:iam::aws:policy/SecurityAudit`) to grant Sysdig read only permissions to secure you AWS Account. +- An IAM Role and associated IAM Policies mentioned below to grant Sysdig read only permissions to secure you AWS Account: + - `arn:aws:iam::aws:policy/SecurityAudit` + - a custom policy (`custom_resources_policy`) - An Access Policy attached to this role using a Sysdig provided `ExternalId`. If instrumenting an AWS Organization, an `aws_cloudformation_stack_set` will be created in the Management Account. @@ -34,6 +36,7 @@ No modules. | [aws_cloudformation_stack_set_instance.stackset_instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance) | resource | | [aws_iam_role.cspm_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source | +| [aws_iam_policy_document.custom_resources_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | ## Inputs diff --git a/modules/services/trust-relationship/main.tf b/modules/services/trust-relationship/main.tf index 0d48280..9614414 100644 --- a/modules/services/trust-relationship/main.tf +++ b/modules/services/trust-relationship/main.tf @@ -37,6 +37,58 @@ resource "aws_iam_role" "cspm_role" { } EOF managed_policy_arns = ["arn:aws:iam::aws:policy/SecurityAudit"] + inline_policy { + name = var.role_name + policy = data.aws_iam_policy_document.custom_resources_policy.json + } +} + +# Custom IAM Policy Document used by trust-relationship role +data "aws_iam_policy_document" "custom_resources_policy" { + + statement { + sid = "DescribeEFSAccessPoints" + + effect = "Allow" + + actions = [ + "elasticfilesystem:DescribeAccessPoints", + ] + + resources = [ + "*", + ] + } + + statement { + sid = "ListWafRegionalRulesAndRuleGroups" + + effect = "Allow" + + actions = [ + "waf-regional:ListRules", + "waf-regional:ListRuleGroups", + ] + + resources = [ + "arn:aws:waf-regional:*:*:rule/*", + "arn:aws:waf-regional:*:*:rulegroup/*" + ] + } + + statement { + sid = "AccessAccountContactInfo" + + effect = "Allow" + + actions = [ + "account:GetContactInformation", + ] + + resources = [ + "*", + ] + } } #---------------------------------------------------------- @@ -77,6 +129,28 @@ Resources: sts:ExternalId: ${var.external_id} ManagedPolicyArns: - "arn:aws:iam::aws:policy/SecurityAudit" + Policies: + - PolicyName: ${var.role_name} + PolicyDocument: + Version: "2012-10-17" + Statement: + - Sid: "DescribeEFSAccessPoints" + Effect: "Allow" + Action: "elasticfilesystem:DescribeAccessPoints" + Resource: "*" + - Sid: "ListWafRegionalRulesAndRuleGroups" + Effect: "Allow" + Action: + - "waf-regional:ListRules" + - "waf-regional:ListRuleGroups" + Resource: + - "arn:aws:waf-regional:*:*:rule/*" + - "arn:aws:waf-regional:*:*:rulegroup/*" + - Sid: "AccessAccountContactInfo" + Effect: "Allow" + Action: + - "account:GetContactInformation" + Resource: "*" TEMPLATE }