{ "AWSTemplateFormatVersion": "2010-09-09", "Outputs": { "ExternalID": { "Description": "Your External ID", "Value": { "Ref": "ExternalId" } }, "ControlMonkeyRoleArn": { "Description": "Your Role Arn", "Value": { "Fn::GetAtt": [ "ControlMonkeyRole", "Arn" ] } } }, "Parameters": { "ControlMonkeyRoleName": { "Default": "ControlMonkey-Role", "Description": "Enter the role name that will be installed on your account", "Type": "String" }, "ExternalId": { "Description": "Enter External ID, it will be used by our service to assume the role", "Type": "String" } }, "Resources": { "ControlMonkeyReadOnlyPolicy": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "ControlMonkeyReadOnlyPolicy", "Roles": [ { "Ref": "ControlMonkeyRole" } ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "AutoScaling", "Resource": "*", "Action": [ "autoscaling:Describe*", "autoscaling:Get*", "autoscaling:List*" ], "Effect": "Allow" }, { "Sid": "ApplicationAutoScaling", "Resource": "*", "Action": [ "application-autoscaling:Describe*", "application-autoscaling:Get*", "application-autoscaling:List*" ], "Effect": "Allow" }, { "Sid": "Batch", "Resource": "*", "Action": [ "batch:Describe*", "batch:Get*", "batch:List*" ], "Effect": "Allow" }, { "Sid": "CloudFormation", "Resource": "*", "Action": [ "cloudformation:Describe*", "cloudformation:EstimateTemplateCost", "cloudformation:Get*", "cloudformation:List*", "cloudformation:ValidateTemplate", "cloudformation:Detect*" ], "Effect": "Allow" }, { "Sid": "CloudFront", "Resource": "*", "Action": [ "cloudfront:Describe*", "cloudfront:Get*", "cloudfront:List*" ], "Effect": "Allow" }, { "Sid": "ComputeOptimizer", "Resource": "*", "Action": [ "compute-optimizer:Describe*", "compute-optimizer:Get*", "compute-optimizer:Export*" ], "Effect": "Allow" }, { "Sid": "Cognito", "Resource": "*", "Action": [ "cognito-idp:Describe*", "cognito-idp:Get*", "cognito-idp:List*" ], "Effect": "Allow" }, { "Sid": "CloudWatch", "Resource": "*", "Action": [ "cloudwatch:Describe*", "cloudwatch:Get*", "cloudwatch:List*" ], "Effect": "Allow" }, { "Sid": "DirectConnect", "Resource": "*", "Action": [ "directconnect:Describe*" ], "Effect": "Allow" }, { "Sid": "DynamoDB", "Resource": "*", "Action": [ "dynamodb:Describe*", "dynamodb:List*" ], "Effect": "Allow" }, { "Sid": "EC2", "Resource": "*", "Action": [ "ec2:Describe*", "ec2:Get*", "ec2:Search*" ], "Effect": "Allow" }, { "Sid": "Redshift", "Resource": "*", "Action": [ "redshift:Describe*" ], "Effect": "Allow" }, { "Sid": "ResourceExplorer", "Effect": "Allow", "Action": [ "resource-explorer-2:Get*", "resource-explorer-2:List*", "resource-explorer-2:Search", "resource-explorer-2:BatchGetView" ], "Resource": "*" }, { "Sid": "ECS", "Resource": "*", "Action": [ "ecs:List*", "ecs:Describe*" ], "Effect": "Allow" }, { "Sid": "ECR", "Resource": "*", "Action": [ "ecr:Get*", "ecr:List*", "ecr:Describe*", "ecr-public:Get*", "ecr-public:List*", "ecr-public:Describe*" ], "Effect": "Allow" }, { "Sid": "EKS", "Resource": "*", "Action": [ "eks:List*", "eks:Describe*" ], "Effect": "Allow" }, { "Sid": "EventBridge", "Resource": "*", "Action": [ "events:List*", "events:Describe*" ], "Effect": "Allow" }, { "Sid": "ElastiCache", "Resource": "*", "Action": [ "elasticache:Describe*", "elasticache:List*" ], "Effect": "Allow" }, { "Sid": "ElasticLoadbalancing", "Resource": "*", "Action": [ "elasticloadbalancing:Describe*" ], "Effect": "Allow" }, { "Sid": "IAM", "Resource": "*", "Action": [ "iam:Get*", "iam:List*" ], "Effect": "Allow" }, { "Sid": "Lambda", "Resource": "*", "Action": [ "lambda:Get*", "lambda:List*" ], "Effect": "Allow" }, { "Sid": "RDS", "Resource": "*", "Action": [ "rds:Describe*", "rds:List*" ], "Effect": "Allow" }, { "Sid": "ResourceGroupsTaggingApi", "Resource": "*", "Action": [ "tag:Get*", "tag:Describe*" ], "Effect": "Allow" }, { "Sid": "Route53", "Resource": "*", "Action": [ "route53:Get*", "route53:List*" ], "Effect": "Allow" }, { "Sid": "Route53RecoveryReadiness", "Effect": "Allow", "Action": [ "route53-recovery-readiness:ListCells", "route53-recovery-readiness:GetCell", "route53-recovery-readiness:ListTagsForResources" ], "Resource": "*" }, { "Sid": "S3ListBuckets", "Resource": "*", "Action": [ "s3:GetBucket*", "s3:ListBucket*", "s3:ListAllMyBuckets", "s3:GetReplicationConfiguration", "s3:GetAccelerateConfiguration", "s3:GetEncryptionConfiguration", "s3:GetLifecycleConfiguration", "s3:GetAnalyticsConfiguration", "s3:GetInventoryConfiguration", "s3:GetMetricsConfiguration", "s3:GetIntelligentTieringConfiguration" ], "Effect": "Allow" }, { "Sid": "S3ScanTfStateFiles", "Action": ["s3:GetObject"], "Effect": "Allow", "Resource": [ "arn:aws:s3:::*terraform*", "arn:aws:s3:::*tfstate*", "arn:aws:s3:::*tf?state*", "arn:aws:s3:::*state*" ] }, { "Sid": "S3DecryptStateFiles", "Action": ["kms:Decrypt"], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": [ "s3.us-east-1.amazonaws.com", "s3.us-east-2.amazonaws.com", "s3.us-west-2.amazonaws.com", "s3.eu-west-1.amazonaws.com", "s3.eu-central-1.amazonaws.com", "s3.ap-south-1.amazonaws.com", "s3.ap-northeast-1.amazonaws.com", "s3.ap-southeast-1.amazonaws.com" ] } } }, { "Sid": "SNS", "Resource": "*", "Action": [ "sns:Get*", "sns:List*" ], "Effect": "Allow" }, { "Sid": "SQS", "Resource": "*", "Action": [ "sqs:Get*", "sqs:List*" ], "Effect": "Allow" }, { "Sid": "SSM", "Resource": "*", "Action": [ "ssm:Describe*", "ssm:Get*", "ssm:List*" ], "Effect": "Allow" }, { "Sid": "ACM", "Resource": "*", "Action": [ "acm:Describe*", "acm:List*" ], "Effect": "Allow" }, { "Sid": "CloudWatchLogs", "Resource": "*", "Action": [ "logs:Get*", "logs:List*" ], "Effect": "Allow" }, { "Sid": "Config", "Effect": "Allow", "Action": [ "config:GetDiscoveredResourceCounts" ], "Resource": "*" }, { "Sid": "Glue", "Resource": "*", "Action": [ "glue:Get*", "glue:List*" ], "Effect": "Allow" }, { "Sid": "WAFV2", "Resource": "*", "Action": [ "wafv2:Describe*", "wafv2:Get*", "wafv2:List*" ], "Effect": "Allow" }, { "Sid": "EFS", "Resource": "*", "Action": [ "elasticfilesystem:Describe*", "elasticfilesystem:List*" ], "Effect": "Allow" }, { "Sid": "KMS", "Resource": "*", "Action": [ "kms:Describe*", "kms:Get*", "kms:List*" ], "Effect": "Allow" }, { "Sid": "SecretsManager", "Resource": "*", "Action": [ "secretsmanager:Describe*", "secretsmanager:GetResourcePolicy", "secretsmanager:List*" ], "Effect": "Allow" }, { "Sid": "MSK", "Resource": "*", "Action": [ "kafka:Describe*", "kafka:Get*", "kafka:List*" ], "Effect": "Allow" }, { "Sid": "RAM", "Resource": "*", "Action": [ "ram:Get*", "ram:List*" ], "Effect": "Allow" }, { "Sid": "Athena", "Resource": "*", "Action": [ "athena:Get*", "athena:List*" ], "Effect": "Allow" }, { "Sid": "ApiGateway", "Resource": "*", "Action": [ "apigateway:Get*" ], "Effect": "Allow" }, { "Sid": "Backup", "Resource": "*", "Action": [ "backup:Describe*", "backup:Get*", "backup:List*" ], "Effect": "Allow" }, { "Sid": "Budgets", "Resource": "*", "Action": [ "budgets:Describe*" ], "Effect": "Allow" }, { "Sid": "CloudSearch", "Resource": "*", "Action": [ "cloudsearch:Describe*", "cloudsearch:List*" ], "Effect": "Allow" }, { "Sid": "CloudTrail", "Resource": "*", "Action": [ "cloudtrail:Get*", "cloudtrail:List*", "cloudtrail:LookupEvents" ], "Effect": "Allow" }, { "Sid": "CodeBuild", "Resource": "*", "Action": [ "codebuild:Describe*", "codebuild:Get*", "codebuild:List*", "codebuild:BatchGet*" ], "Effect": "Allow" }, { "Sid": "CodePipeline", "Resource": "*", "Action": [ "codepipeline:Describe*", "codepipeline:Get*", "codepipeline:List*" ], "Effect": "Allow" }, { "Sid": "CodeCommit", "Resource": "*", "Action": [ "codecommit:Get*", "codecommit:List*" ], "Effect": "Allow" }, { "Sid": "CodeDeploy", "Resource": "*", "Action": [ "codedeploy:Get*", "codedeploy:List*", "codedeploy:BatchGet*" ], "Effect": "Allow" }, { "Sid": "DataLifecycleManager", "Resource": "*", "Action": [ "dlm:Get*", "dlm:List*" ], "Effect": "Allow" }, { "Sid": "DatabaseMigrationService", "Resource": "*", "Action": [ "dms:Describe*", "dms:List*" ], "Effect": "Allow" }, { "Sid": "ElasticBeanstalk", "Resource": "*", "Action": [ "elasticbeanstalk:Describe*", "elasticbeanstalk:List*" ], "Effect": "Allow" }, { "Sid": "ElasticBeanstalkS3", "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::elasticbeanstalk-env-resources-*" ] }, { "Sid": "ElasticMapReduce", "Resource": "*", "Action": [ "elasticmapreduce:Describe*", "elasticmapreduce:Get*", "elasticmapreduce:List*" ], "Effect": "Allow" }, { "Sid": "ImageBuilder", "Resource": "*", "Action": [ "imagebuilder:Get*", "imagebuilder:List*" ], "Effect": "Allow" }, { "Sid": "Kinesis", "Resource": "*", "Action": [ "kinesis:Describe*", "kinesis:Get*", "kinesis:List*" ], "Effect": "Allow" }, { "Sid": "KinesisAnalytics", "Resource": "*", "Action": [ "kinesisanalytics:Describe*", "kinesisanalytics:List*" ], "Effect": "Allow" }, { "Sid": "KinesisVideo", "Resource": "*", "Action": [ "kinesisvideo:Describe*", "kinesisvideo:Get*", "kinesisvideo:List*" ], "Effect": "Allow" }, { "Sid": "MemoryDB", "Resource": "*", "Action": [ "memorydb:Describe*", "memorydb:List*" ], "Effect": "Allow" }, { "Sid": "MQ", "Resource": "*", "Action": [ "mq:Describe*", "mq:List*" ], "Effect": "Allow" }, { "Sid": "Extras", "Resource": "*", "Action": [ "neptune-db:Describe*", "neptune-db:List*", "network-firewall:Describe*", "network-firewall:List*", "networkmanager:Describe*", "networkmanager:Get*", "networkmanager:List*", "es:Describe*", "es:Get*", "es:List*", "trustedadvisor:Describe*", "trustedadvisor:List*", "support:Describe*", "servicequotas:Get*", "servicequotas:List*", "sagemaker:Describe*", "sagemaker:Get*", "sagemaker:List*", "ses:Describe*", "ses:Get*", "ses:List*", "waf:Get*", "waf:List*", "sso:Describe*", "sso:Get*", "sso:List*", "sso:Search*", "identitystore:Describe*", "identitystore:Get*", "identitystore:List*", "codestar-notifications:Describe*", "codestar-notifications:List*", "firehose:Describe*", "firehose:List*", "appconfig:List*", "appconfig:Get*", "airflow:List*", "airflow:Get*", "scheduler:List*", "scheduler:Get*", "mediaconvert:List*", "mediaconvert:Get*", "cloudhsm:Describe*", "appflow:List*", "appflow:Describe*", "organizations:List*", "organizations:Describe*", "controltower:Describe*", "controltower:List*", "controltower:Get*", "bedrock:List*", "bedrock:Get*", "bedrock-agentcore:List*", "bedrock-agentcore:Get*" ], "Effect": "Allow" } ] } } }, "ControlMonkeyRole": { "Type": "AWS::IAM::Role", "Properties": { "RoleName": { "Ref": "ControlMonkeyRoleName" }, "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::127110329002:root" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": { "Ref": "ExternalId" } } } } ] }, "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess" ] } } } }