AWSTemplateFormatVersion: 2010-09-09 Description: This template creates required cross-account role permissions for BMC Helix Discovery to scan account resources. Supports both use of AWS Organizations and non-AWS Organization environments account. **WARNING** This template creates AWS resources. You will be billed for the AWS resources used if you create a stack from this template. Use at your own risk. Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Discovery Parameters Parameters: - MgmtAccountId - IAMUserName ParameterLabels: MgmtAccountId: default: Management/Master Account ID IAMUserName: default: Discovery IAM user name Parameters: MgmtAccountId: AllowedPattern: '[0-9]+' Description: The 12 digit AWS account number to grant access to. MaxLength: '12' MinLength: '12' Type: String IAMUserName: Description: Name of IAM user to be used to switch roles Type: String Default: discovery Conditions: IsMgmtAccount: !Equals - !Ref 'MgmtAccountId' - !Ref 'AWS::AccountId' Resources: # Group to consolidate the Discovery scan permissions as a best practice, even though we only have one # user 'discovery' in the group bmcDiscoveryROScanIAMGroup: Condition: IsMgmtAccount Type: AWS::IAM::Group Properties: ManagedPolicyArns: - arn:aws:iam::aws:policy/ReadOnlyAccess - arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess Policies: - PolicyName: bmcDiscoveryROScanAssumeRolePolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - sts:AssumeRole Resource: - arn:aws:iam::*:role/bmcDiscoveryROScanTrustRole bmcDiscoveryOutpostUser: Condition: IsMgmtAccount Type: AWS::IAM::User Properties: UserName: !Ref 'IAMUserName' Groups: - !Ref 'bmcDiscoveryROScanIAMGroup' bmcDiscoveryROScanTrustRole: Type: AWS::IAM::Role Metadata: cfn-lint: config: ignore_checks: - W28 cfn_nag: rules_to_suppress: - id: W28 reason: "Explicit name defined to allow BMC Discovery to reference a known value across all customer environments" Properties: RoleName: bmcDiscoveryROScanTrustRole AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Action: sts:AssumeRole Effect: Allow Principal: AWS: !Sub - 'arn:aws:iam::${MgmtAccountId}:user/${DiscoveryUserName}' - DiscoveryUserName: !If - IsMgmtAccount - !Ref bmcDiscoveryOutpostUser - !Ref IAMUserName Path: / ManagedPolicyArns: - arn:aws:iam::aws:policy/ReadOnlyAccess bmcDiscoveryAdditionalROScanPolicy: Type: AWS::IAM::Policy Metadata: cfn-lint: config: ignore_checks: - W12 cfn_nag: rules_to_suppress: - id: W12 reason: "Wildcard used to allow BMC Discovery to find all resources." Properties: PolicyName: bmcDiscoveryAdditionalROScanPolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - lakeformation:List* - sdb:DomainMetadata Resource: '*' Groups: - !If - IsMgmtAccount - !Ref 'bmcDiscoveryROScanIAMGroup' - !Ref 'AWS::NoValue' Roles: - !Ref 'bmcDiscoveryROScanTrustRole' bmcDiscoverySessionManagerScanPolicy: Type: AWS::IAM::Policy Metadata: cfn-lint: config: ignore_checks: - W12 cfn_nag: rules_to_suppress: - id: W12 reason: "Wildcard used to allow BMC Discovery to find all resources." Properties: PolicyName: bmcDiscoverySessionManagerScanPolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - ssm:StartSession Resource: arn:aws:ec2:*:*:instance/* - Effect: Allow Action: - ssm:ResumeSession - ssm:TerminateSession Resource: '*' Groups: - !If - IsMgmtAccount - !Ref 'bmcDiscoveryROScanIAMGroup' - !Ref 'AWS::NoValue' Roles: - !Ref 'bmcDiscoveryROScanTrustRole' Outputs: RoleARN: Description: The ARN of the role that can be assumed by the other account. Value: !GetAtt 'bmcDiscoveryROScanTrustRole.Arn'