-
Notifications
You must be signed in to change notification settings - Fork 1
/
AccountConfig.template
144 lines (133 loc) · 4.27 KB
/
AccountConfig.template
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "Create a User and Group",
"Parameters" : {
"PayerAccountID" : {
"Description" : "Account ID of the payer account. Users in the payer account can assume the oversight role in this account. They will have full control over this account.",
"Type" : "String",
"Default": "123456789012",
"ConstraintDescription" : "Must be a valid AWS Account ID without hyphens.",
"AllowedPattern": "\\d{12}",
"MinLength": "12",
"MaxLength": "12"
},
"CloudTrailBucketName" : {
"Description" : "Name of the bucket to store Cloud Trail log files in. Best practice is to log to a bucket in another account.",
"Type" : "String",
"Default": "audit-bucket",
"ConstraintDescription" : "Must be a valid AWS bucket."
}
},
"Resources" : {
"ChangeYourPassword" : {
"Type" : "AWS::IAM::ManagedPolicy",
"Properties" : {
"Description" : "This policy grants access to the ChangePassword action, which lets users change only their own passwords from the console, the AWS CLI, Tools for Windows PowerShell, or the API. It also grants access to the GetAccountPasswordPolicy action, which lets the user view the current password policy; this permission is required so that the user can display the Change Password page in the console. The user must be able to read the current password policy to ensure the changed password meets the requirements of the policy.",
"Path" : "/AccountConfig/",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:GetAccountPasswordPolicy",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:ChangePassword",
"Resource" : {"Fn::Join": ["", ["arn:aws:iam::", { "Ref" : "AWS::AccountId" } , ":user/${aws:username}"]]}
}
]
}
}
},
"DefaultInstanceRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"Path": "/AccountConfig/",
"RoleName": "DefaultInstanceRole",
"AssumeRolePolicyDocument": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": {
"Service": [ "ec2.amazonaws.com" ]
},
"Action": [ "sts:AssumeRole" ]
} ]
},
"ManagedPolicyArns": [ "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess" ]
}
},
"DefaultInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/AccountConfig/",
"Roles": [ {
"Ref": "DefaultInstanceRole"
} ]
}
},
"CrossAccountOversightRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"Path": "/AccountConfig/",
"RoleName": "CrossAccountOversight",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ds.amazonaws.com"
},
"Action": ["sts:AssumeRole"],
"Condition": {
"StringEquals": {
"sts:externalid": {"Ref": "PayerAccountID"}
}
}
}
]
},
"ManagedPolicyArns": [ "arn:aws:iam::aws:policy/AdministratorAccess" ]
}
},
"SystemAdmininstratorsGroup": {
"Type": "AWS::IAM::Group",
"Properties": {
"Path": "/AccountConfig/",
"GroupName": "SystemAdmininstrators",
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AmazonEC2FullAccess",
"arn:aws:iam::aws:policy/AmazonS3FullAccess",
"arn:aws:iam::aws:policy/AmazonRDSFullAccess",
"arn:aws:iam::aws:policy/AmazonRoute53FullAccess",
"arn:aws:iam::aws:policy/ReadOnlyAccess",
{"Ref": "ChangeYourPassword"}
]
}
},
"SecurityAdmininstratorsGroup": {
"Type": "AWS::IAM::Group",
"Properties": {
"Path": "/AccountConfig/",
"GroupName": "SecurityAdmininstrators",
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/IAMFullAccess",
"arn:aws:iam::aws:policy/ReadOnlyAccess",
{"Ref": "ChangeYourPassword"}
]
}
},
"AuditTrail" : {
"Type" : "AWS::CloudTrail::Trail",
"Properties" : {
"S3BucketName" : {"Ref":"CloudTrailBucketName"},
"IsLogging" : true,
"IncludeGlobalServiceEvents" : true,
"IsMultiRegionTrail" : true
}
}
}
}