{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Prisma Cloud IAM Role to set read permissions", "Parameters": { "PrismaCloudRoleName": { "Type": "String", "Description": "Provide an role ARN name (Example: PrismaCloudReadOnlyRole)", "AllowedPattern": "[-_a-zA-Z0-9]+", "Default": "PrismaCloudReadOnlyRole" }, "ExternalID": { "Type": "String", "Description": "Provide an ExternalID (Example: Xoih821ddwf)", "MinLength": "1", "AllowedPattern": "[a-zA-Z0-9\\=\\,\\.\\@\\:\\/\\-_]*", "ConstraintDescription": "ExternalID must contain alphanumeric characters and only these special characters are allowed =,.@:/-. " } }, "Resources": { "PrismaCloudRole": { "Type": "AWS::IAM::Role", "Properties": { "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/SecurityAudit", "arn:aws:iam::aws:policy/AWSCloudFormationReadOnlyAccess" ], "MaxSessionDuration" : 43200, "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::188619942792:root" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": { "Ref": "ExternalID" } } } } ] }, "Policies": [ { "PolicyName": "PrismaCloud-IAM-ReadOnly-Policy", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": [ "account:GetAlternateContact", "apigateway:GET", "acm-pca:ListTags", "acm-pca:GetPolicy", "airflow:GetEnvironment", "appstream:DescribeStacks", "appstream:DescribeUsageReportSubscriptions", "appstream:DescribeImages", "appstream:DescribeFleets", "appstream:ListTagsForResource", "apprunner:DescribeAutoScalingConfiguration", "apprunner:ListAutoScalingConfigurations", "apprunner:ListTagsForResource", "apprunner:ListServices", "apprunner:DescribeCustomDomains", "apprunner:DescribeService", "appflow:DescribeFlow", "appflow:ListFlows", "appsync:GetGraphqlApi", "aps:DescribeLoggingConfiguration", "aps:ListWorkspaces", "amplify:ListApps", "backup:ListTags", "backup:GetBackupVaultAccessPolicy", "chime:GetVoiceConnectorLoggingConfiguration", "cloud9:ListTagsForResource", "cognito-identity:DescribeIdentityPool", "codeartifact:ListDomains", "codeartifact:DescribeDomain", "codeartifact:GetDomainPermissionsPolicy", "codeartifact:ListTagsForResource", "codeartifact:DescribeRepository", "codepipeline:ListTagsForResource", "connect:ListInstances", "connect:ListInstanceStorageConfigs", "connect:ListInstanceAttributes", "databrew:DescribeJob", "databrew:ListJobs", "devops-guru:DescribeServiceIntegration", "ds:ListTagsForResource", "ec2:SearchTransitGatewayRoutes", "ecr:GetRegistryScanningConfiguration", "ecr:GetRegistryPolicy", "ecr:DescribeRegistry", "ecr:DescribePullThroughCacheRules", "ecr-public:ListTagsForResource", "eks:ListTagsForResource", "eks:ListFargateProfiles", "eks:DescribeFargateProfile", "elasticfilesystem:DescribeTags", "elasticfilesystem:DescribeFileSystemPolicy", "fms:GetAdminAccount", "fms:GetPolicy", "forecast:DescribePredictor", "forecast:DescribeAutoPredictor", "forecast:ListTagsForResource", "forecast:ListPredictors", "forecast:DescribeDataset", "glacier:ListTagsForVault", "glue:GetConnections", "glue:GetConnection", "glue:GetSecurityConfigurations", "grafana:DescribeWorkspace", "grafana:DescribeWorkspaceAuthentication", "grafana:ListWorkspaces", "kendra:ListTagsForResource", "kafka:ListClusters", "kinesisanalytics:ListTagsForResource", "kinesisanalytics:DescribeApplication", "kinesisvideo:ListTagsForStream", "kinesisvideo:ListStreams", "kinesisvideo:DescribeNotificationConfiguration", "lambda:GetFunctionUrlConfig", "lex:GetBot", "lex:GetBots", "lex:GetBotVersions", "lex:ListTagsForResource", "lex:ListBotVersions", "lex:DescribeBotVersion", "lakeformation:GetDataLakeSettings", "logs:GetLogEvents", "macie2:GetClassificationExportConfiguration", "macie2:GetMacieSession", "macie2:GetRevealConfiguration", "macie2:GetFindingsPublicationConfiguration", "memorydb:DescribeParameters", "memorydb:DescribeParameterGroups", "memorydb:ListTags", "memorydb:DescribeClusters", "mq:listBrokers", "mq:describeBroker", "mediastore:ListTagsForResource", "mobiletargeting:GetEmailChannel", "mobiletargeting:GetSmsChannel", "mobiletargeting:GetApps", "network-firewall:DescribeFirewall", "network-firewall:ListFirewallPolicies", "network-firewall:DescribeFirewallPolicy", "network-firewall:DescribeResourcePolicy", "ram:GetResourceShares", "ssm:GetDocument", "ssm:GetParameters", "transcribe:ListLanguageModels", "transcribe:ListTagsForResource", "sns:listSubscriptions", "sns:ListPlatformApplications", "cognito-idp:ListResourcesForWebACL", "wafv2:GetLoggingConfiguration", "waf:GetLoggingConfiguration", "waf-regional:GetLoggingConfiguration", "s3:DescribeJob", "s3:ListJobs", "s3:GetJobTagging", "ssm:GetInventory", "shield:GetSubscriptionState", "states:ListTagsForResource", "storagegateway:DescribeSMBFileShares", "storagegateway:DescribeSMBSettings", "translate:GetTerminology", "qldb:ListLedgers", "qldb:ListTagsForResource", "identitystore:ListUsers", "identitystore:ListGroups", "identitystore:ListGroupMemberships", "sso:ListInstances", "sso:ListPermissionSets", "sso:ListAccountsForProvisionedPermissionSet", "sso:ListAccountAssignments", "iotanalytics:ListChannels", "iotanalytics:ListTagsForResource", "devicefarm:ListProjects", "elastictranscoder:ListPipelines", "resiliencehub:ListApps", "managedblockchain:ListNetworks", "cognito-sync:ListIdentityPoolUsage", "servicecatalog:ListApplications", "servicecatalog:ListAttributeGroups", "servicecatalog:ListPortfolios", "elasticbeanstalk:DescribeApplications", "iotanalytics:ListDatastores", "iotevents:ListInputs", "comprehend:ListEntitiesDetectionJobs", "comprehendmedical:ListEntitiesDetectionV2Jobs", "greengrass:ListCoreDefinitions", "greengrass:ListGroups", "iotfleetwise:ListSignalCatalogs", "lookoutequipment:ListDatasets", "lookoutmetrics:ListAnomalyDetectors", "lookoutvision:ListProjects", "opsworks:DescribeUserProfiles", "polly:DescribeVoices", "securityhub:DescribeStandards", "servicediscovery:ListNamespaces", "swf:ListDomains", "cloudhsm:DescribeClusters", "ce:GetCostAndUsage", "macie2:ListOrganizationAdminAccounts", "support:DescribeCases", "elasticfilesystem:DescribeAccessPoints", "ssm:GetInventory", "ssm:GetInventorySchema", "glue:ListCrawlers", "glue:GetCrawler", "backup:ListBackupPlans", "backup:GetBackupPlan", "backup:ListTags", "wellarchitected:GetWorkload", "wellarchitected:ListWorkloads", "budgets:ViewBudget", "wafv2:GetRuleGroup", "codebuild:ListSourceCredentials", "drs:DescribeSourceServers", "drs:GetReplicationConfiguration", "auditmanager:GetAssessment", "auditmanager:GetControl", "mgn:DescribeLaunchConfigurationTemplates", "ec2:GetLaunchTemplateData", "codecommit:GetApprovalRuleTemplate", "codepipeline:ListWebhooks", "drs:DescribeJobs", "imagebuilder:ListInfrastructureConfigurations", "imagebuilder:GetInfrastructureConfiguration", "imagebuilder:ListImagePipelines", "imagebuilder:GetImagePipeline", "imagebuilder:ListImageRecipes", "imagebuilder:GetImageRecipe", "imagebuilder:ListComponents", "imagebuilder:GetComponent", "glue:ListSchemas", "glue:GetSchema" ], "Effect": "Allow", "Resource": "*" } ] } }, { "PolicyName": "PrismaCloud-IAM-ReadOnly-Policy-ElasticBeanstalk", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "RequiredForAwsElasticbeanstalkConfigurationSettingsApiIngestion", "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::elasticbeanstalk-*/*" } ] } }, { "PolicyName": "PrismaCloud-ReadOnly-Policy-Compute", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer", "ecr:GetLifecyclePolicyPreview", "secretsmanager:GetSecretValue", "lambda:GetLayerVersion", "ssm:GetParameter", "securityhub:BatchImportFindings", "kms:Decrypt", "lambda:GetFunction" ], "Effect": "Allow", "Resource": "*" } ] } }, { "PolicyName": "PrismaCloud-ReadOnly-Compute-Policy-EKS-Audit", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:StartQuery", "logs:GetQueryResults" ], "Effect": "Allow", "Resource": "*" } ] } }, { "PolicyName": "PrismaCloud-ReadOnly-Policy-Bridgecrew", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:ListBucket", "lambda:GetLayerVersion", "lambda:GetEventSourceMapping", "lambda:GetFunction", "sns:GetSubscriptionAttributes", "ecr:DescribeRegistry", "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:BatchGetRepositoryScanningConfiguration", "ecr:DescribeImageReplicationStatus", "ecr:DescribePullThroughCacheRules", "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer", "ecr:GetLifecyclePolicyPreview", "ecr:GetRegistryPolicy" ], "Effect": "Allow", "Resource": "*" } ] } } ], "RoleName": { "Ref": "PrismaCloudRoleName" } } } }, "Outputs": { "PrismaCloudARN": { "Value": { "Fn::GetAtt": [ "PrismaCloudRole", "Arn" ] }, "Description": "Role ARN to configure within PrismaCloud Account Setup" } } }