Permissions for Payer account
CrossAccountRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: WivAccessRole
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${WivAccount}:root
Action: 'sts:AssumeRole'
Condition:
StringEquals:
'sts:ExternalId': !Ref ExternalId
- Effect: Allow
Principal:
Service: events.amazonaws.com
Action: sts:AssumeRole
- Effect: Allow
Principal:
Service: apidestinations.events.amazonaws.com
Action: sts:AssumeRole
Tags:
- Key: 'Wiv'
Value: !Join
- ''
- - 'Wiv-Infrastructure'
- Key: 'Wiv:originalResourceId'
Value: 'Payer-Role-Stack'
WivPayerAccessPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: WivPayerAccessPolicy
Roles:
- !Ref CrossAccountRole
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: 's3:*'
Resource:
- !Join
- ''
- - 'arn:aws:s3:::'
- wiv-cur-
- !Ref 'AWS::AccountId'
- !Join
- ''
- - 'arn:aws:s3:::'
- wiv-cur-
- !Ref 'AWS::AccountId'
- /*
- Effect: Allow
Action:
- account:GetAccountInformation
- billing:Get*
- cloudfront:GetDistribution
- cloudfront:GetDistributionConfig
- cloudfront:ListDistributions
- cloudfront:GetCachePolicyConfig
- cloudtrail:Describe*
- cloudtrail:Get*
- cloudtrail:List*
- cloudwatch:Describe*
- cloudwatch:Get*
- cloudwatch:List*
- compute-optimizer:Describe*
- compute-optimizer:Get*
- config:Describe*
- config:Get*
- config:List*
- consolidatedbilling:Get*
- consolidatedbilling:List*
- cur:Get*
- dynamodb:Describe*
- dynamodb:ListTables
- dynamodb:ListTagsOfResource
- ebs:List*
- ec2:Describe*
- ecs:Describe*
- ecs:List*
- ecr:Describe*
- ecr:List*
- elasticache:Describe*
- elasticache:List*
- elasticloadbalancing:Describe*
- es:Describe*
- es:List*
- invoicing:List*
- kafka:Describe*
- kafka:List*
- kms:List*
- lambda:ListFunctions
- lambda:ListProvisionedConcurrencyConfigs
- lambda:ListTags
- logs:DescribeLogGroups
- payments:Get*
- payments:List*
- rds:Describe*
- rds:CreateDBSnapshot
- rds:List*
- redshift:Describe*
- s3:Describe*
- s3:GetAccelerateConfiguration
- s3:GetBucketVersioning
- s3:GetLifecycleConfiguration
- s3:List*
- savingsplans:DescribeSavingsPlansOfferings
- servicequotas:ListServiceQuotas
- servicequotas:ListServices
- support:Describe*
- support:DescribeTrustedAdvisorCheckResult
- support:DescribeTrustedAdvisorChecks
- support:RefreshTrustedAdvisorCheck
- tag:GetResources
- tag:GetTagKeys
- tax:Get*
- tax:List*
- trustedadvisor:Describe*
- trustedadvisor:ExcludeCheckItems
- trustedadvisor:GenerateReport
- trustedadvisor:Get*
- trustedadvisor:IncludeCheckItems
- trustedadvisor:List*
- trustedadvisor:RefreshCheck
- eks:list*
- cloudtrail:LookupEvents
- ce:Get*
- ce:List*
- ce:Describe*
- ce:CreateAnomalySubscription
- ce:TagResource
- route53:ListHostedZones
- route53:ListHostedZonesByName
- route53:ListResourceRecordSets
- tag:GetTagValues
- autoscaling:Describe*
- backup:List*
- application-autoscaling:Describe*
Resource: '*'
- Effect: Allow
Action:
- 'athena:StartQueryExecution'
- 'athena:GetQueryExecution'
- 'athena:GetQueryResults'
Resource: !Ref AthenaARN
- Effect: Allow
Action:
- 'cloudformation:CreateStackInstances'
- 'cloudformation:DescribeStackSetOperation'
Resource:
- !Join
- ''
- - 'arn:aws:cloudformation:*:'
- !Ref 'AWS::AccountId'
- ':stackset-target/*WivOrgStackSet*'
- !Join
- ''
- - 'arn:aws:cloudformation:*:'
- !Ref 'AWS::AccountId'
- ':stackset/*WivOrgStackSet*'
- Effect: Allow
Action:
- 'cloudformation:CreateStackInstances'
Resource:
- 'arn:aws:cloudformation:us-east-1::type/resource/AWS-IAM-Role'
- 'arn:aws:cloudformation:us-east-1::type/resource/AWS-IAM-Group'
- 'arn:aws:cloudformation:us-east-1::type/resource/AWS-IAM-Policy'
- 'arn:aws:cloudformation:us-east-1::type/resource/AWS-CloudFormation-CustomResource'
- 'arn:aws:cloudformation:us-east-1::type/resource/AWS-S3-Bucket'
- 'arn:aws:cloudformation:us-east-1::type/resource/AWS-Lambda-Function'
- Action: 'glue:*'
Effect: Allow
Resource:
- !Join
- ''
- - 'arn:aws:glue:'
- !Ref 'AWS::Region'
- ':'
- !Ref 'AWS::AccountId'
- ':catalog'
- !Join
- ''
- - 'arn:aws:glue:'
- !Ref 'AWS::Region'
- ':'
- !Ref 'AWS::AccountId'
- ':database/wivdb'
- !Join
- ''
- - 'arn:aws:glue:'
- !Ref 'AWS::Region'
- ':'
- !Ref 'AWS::AccountId'
- ':table/wivdb'
- /*
- !Join
- ''
- - 'arn:aws:glue:'
- !Ref 'AWS::Region'
- ':'
- !Ref 'AWS::AccountId'
- ':userDefinedFunction/wivdb'
- /*
OrganizationRetrievalPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: organization-retrieval
Roles:
- !Ref CrossAccountRole
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- 'iam:ListAccountAliases'
- 'organizations:DescribeOrganization'
- 'organizations:ListAccounts'
Resource: '*'
EventbridgePolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: eventbridge
Roles:
- !Ref CrossAccountRole
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- events:PutRule
- events:PutTargets
- events:CreateApiDestination
- events:InvokeApiDestination
- events:CreateConnection
- events:DeleteApiDestination
- events:RemoveTargets
- events:TagResource
- events:CreateConnection
- events:DescribeConnection
- events:DescribeApiDestination
Resource: '*'
- Effect: Allow
Action:
- secretsmanager:CreateSecret
- secretsmanager:PutSecretValue
- secretsmanager:UpdateSecret
- secretsmanager:GetSecretValue
- secretsmanager:DeleteSecret
- secretsmanager:DescribeSecret
Resource:
- !Join
- ''
- - 'arn:aws:secretsmanager:*:'
- !Ref 'AWS::AccountId'
- ':secret:events!connection/*'
- Effect: Allow
Action:
- iam:PassRole
- iam:PutRolePolicy
- iam:ListAttachedRolePolicies
- iam:ListRolePolicies
- iam:GetRolePolicy
Resource: !GetAtt CrossAccountRole.Arn
- Effect: Allow
Action:
- iam:CreateServiceLinkedRole
Resource:
- !Join
- ''
- - 'arn:aws:iam::'
- !Ref 'AWS::AccountId'
- ':role/apidestinations.events.amazonaws.com/AWSServiceRoleForAmazonEventBridgeApiDestinations'
Condition:
StringLike:
iam:AWSServiceName: "apidestinations.events.amazonaws.com"
- Effect: "Allow"
Action:
- "iam:AttachRolePolicy"
- "iam:PutRolePolicy"
Resource:
- !Join
- ''
- - 'arn:aws:iam::'
- !Ref 'AWS::AccountId'
- ':role/apidestinations.events.amazonaws.com/AWSServiceRoleForAmazonEventBridgeApiDestinations'
- Effect: Allow
Action:
- events:DeleteRule
Resource: '*'
Condition:
StringEquals:
"aws:ResourceTag/Wiv-Infrastructure": "true"Permissions for Linked accounts
"CrossAccountRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "WivAccessRole",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Sub": "arn:aws:iam::${WivAccount}:root"
}
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": {
"Ref": "ExternalId"
}
}
}
},
{
"Effect": "Allow",
"Principal": {
"Service": [
"events.amazonaws.com",
"apidestinations.events.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
},
"Tags": [
{
"Key": "Wiv",
"Value": "Wiv-Infrastructure"
},
{
"Key": "WivOriginalResourceId",
"Value": "Org-Role-Stack"
}
]
}
},
"WivCoreAccessPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "WivCoreAccessPolicy",
"Roles": [
{
"Ref": "CrossAccountRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"account:GetAccountInformation",
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:StartQueryExecution",
"billing:Get*",
"cloudfront:GetDistribution",
"cloudfront:GetDistributionConfig",
"cloudfront:ListDistributions",
"cloudfront:GetCachePolicyConfig",
"cloudtrail:Describe*",
"cloudtrail:Get*",
"cloudtrail:List*",
"cloudtrail:LookupEvents",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"compute-optimizer:Describe*",
"compute-optimizer:Get*",
"config:Describe*",
"config:Get*",
"config:List*",
"consolidatedbilling:Get*",
"consolidatedbilling:List*",
"cur:Get*",
"dynamodb:Describe*",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
"ebs:List*",
"ec2:Describe*",
"ecs:Describe*",
"ecs:List*",
"ecr:Describe*",
"ecr:List*",
"eks:DescribeCluster",
"eks:List*",
"elasticache:Describe*",
"elasticache:List*",
"elasticloadbalancing:Describe*",
"es:Describe*",
"es:List*",
"events:InvokeApiDestination",
"invoicing:List*",
"kafka:Describe*",
"kafka:List*",
"kms:List*",
"lambda:ListFunctions",
"lambda:ListProvisionedConcurrencyConfigs",
"lambda:ListTags",
"logs:DescribeLogGroups",
"payments:Get*",
"payments:List*",
"rds:Describe*",
"rds:CreateDBSnapshot",
"rds:List*",
"redshift:Describe*",
"route53:ListHostedZones",
"route53:ListHostedZonesByName",
"route53:ListResourceRecordSets",
"s3:Describe*",
"s3:GetAccelerateConfiguration",
"s3:GetBucketVersioning",
"s3:GetLifecycleConfiguration",
"s3:List*",
"savingsplans:DescribeSavingsPlansOfferings",
"servicequotas:ListServiceQuotas",
"servicequotas:ListServices",
"support:Describe*",
"support:DescribeTrustedAdvisorCheckResult",
"support:DescribeTrustedAdvisorChecks",
"support:RefreshTrustedAdvisorCheck",
"tag:GetResources",
"tag:GetTagKeys",
"tag:GetTagValues",
"tax:Get*",
"tax:List*",
"trustedadvisor:Describe*",
"trustedadvisor:ExcludeCheckItems",
"trustedadvisor:GenerateReport",
"trustedadvisor:Get*",
"trustedadvisor:IncludeCheckItems",
"trustedadvisor:List*",
"trustedadvisor:RefreshCheck",
"autoscaling:Describe*",
"ce:Get*",
"ce:List*",
"ce:Describe*",
"ce:CreateAnomalySubscription",
"ce:TagResource",
"backup:List*",
"application-autoscaling:Describe*"
],
"Resource": "*"
}
]
}
}
},
"OrganizationRetrievalPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "OrganizationRetrievalPolicy",
"Roles": [
{
"Ref": "CrossAccountRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListAccountAliases",
"organizations:DescribeOrganization",
"organizations:ListAccounts"
],
"Resource": "*"
}
]
}
}
},
"EventbridgePolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "EventbridgePolicy",
"Roles": [
{
"Ref": "CrossAccountRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"events:PutRule",
"events:PutTargets",
"events:CreateApiDestination",
"events:InvokeApiDestination",
"events:CreateConnection",
"events:DeleteApiDestination",
"events:RemoveTargets",
"events:TagResource",
"events:CreateConnection",
"events:DescribeConnection",
"events:DescribeApiDestination"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:CreateSecret",
"secretsmanager:PutSecretValue",
"secretsmanager:UpdateSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:DeleteSecret",
"secretsmanager:DescribeSecret"
],
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:secretsmanager:*:",
{
"Ref": "AWS::AccountId"
},
":secret:events!connection/*"
]
]
}
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": {
"Fn::GetAtt": [
"CrossAccountRole",
"Arn"
]
}
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/aws-service-role/events.amazonaws.com/AWSServiceRoleForAmazonEventBridgeApiDestinations"
]
]
},
"Condition": {
"StringLike": {
"iam:AWSServiceName": "apidestinations.events.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:PutRolePolicy"
],
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/aws-service-role/apidestinations.events.amazonaws.com/AWSServiceRoleForAmazonEventBridgeApiDestinations"
]
]
}
},
{
"Effect": "Allow",
"Action": "events:DeleteRule",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Wiv-Infrastructure": "true"
}
}
}
]
}
}
}Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article