Trust Policy (AssumeRolePolicyDocument)
| Principal | Condition | Why We Need It |
|---|---|---|
arn:aws:iam::613007325984:root | sts:ExternalId must match parameter | Allows Wiv's AWS account to assume this role securely; ExternalId prevents confused deputy attacks |
events.amazonaws.com | None | Allows EventBridge service to assume role when executing rules and targets |
apidestinations.events.amazonaws.com | None | Allows EventBridge API Destinations service to assume role for HTTP endpoint invocations |
WivPayerAccessPolicy
S3 - CUR Bucket Access
| Permission | Resource | Why We Need It |
|---|---|---|
s3:* | arn:aws:s3:::wiv-cur-{AccountId} | Full access to the CUR bucket itself for managing report storage |
s3:* | arn:aws:s3:::wiv-cur-{AccountId}/* | Full access to all CUR report files for reading and processing billing data |
Account & Billing
| Permission | Resource | Why We Need It |
|---|---|---|
account:GetAccountInformation | * | Retrieve account-level settings and contact information for account identification |
billing:Get* | * | Access billing dashboard data, preferences, and billing-related settings |
consolidatedbilling:Get* | * | Get consolidated billing information across the organization for unified cost views |
consolidatedbilling:List* | * | List all linked accounts under consolidated billing for multi-account analysis |
invoicing:List* | * | List invoices and line items for invoice-level cost tracking |
payments:Get* | * | Get payment methods and payment history for billing health monitoring |
payments:List* | * | List payment transactions for financial reconciliation |
tax:Get* | * | Get tax settings, exemptions, and tax-related configurations |
tax:List* | * | List tax registrations and documents for compliance visibility |
Cost Explorer & CUR
| Permission | Resource | Why We Need It |
|---|---|---|
ce:Get* | * | Retrieve cost data, forecasts, reservations, savings plans, and anomaly information |
ce:List* | * | List cost allocation tags, cost categories, and anomaly monitors |
ce:Describe* | * | Describe cost category definitions and report configurations |
ce:CreateAnomalySubscription | * | Create automated alerts when cost anomalies are detected |
ce:TagResource | * | Tag Cost Explorer resources for organization and tracking |
cur:Get* | * | Get Cost and Usage Report definitions and delivery status |
Compute Optimizer
| Permission | Resource | Why We Need It |
|---|---|---|
compute-optimizer:Describe* | * | Describe optimization enrollment status and preferences |
compute-optimizer:Get* | * | Get rightsizing recommendations for EC2, EBS, Lambda, and ECS to reduce costs |
Trusted Advisor
| Permission | Resource | Why We Need It |
|---|---|---|
trustedadvisor:Describe* | * | Describe Trusted Advisor check categories and statuses |
trustedadvisor:Get* | * | Get detailed check results for cost optimization, security, and performance |
trustedadvisor:List* | * | List available checks and affected resources |
trustedadvisor:RefreshCheck | * | Refresh checks to get the latest recommendations |
trustedadvisor:GenerateReport | * | Generate comprehensive Trusted Advisor reports |
trustedadvisor:ExcludeCheckItems | * | Exclude false positives or accepted risks from checks |
trustedadvisor:IncludeCheckItems | * | Re-include previously excluded items for monitoring |
support:Describe* | * | Describe support cases and service limits |
support:DescribeTrustedAdvisorChecks | * | List all available Trusted Advisor checks |
support:DescribeTrustedAdvisorCheckResult | * | Get detailed results for specific checks |
support:RefreshTrustedAdvisorCheck | * | Trigger refresh of individual checks for fresh data |
EC2 & Compute
| Permission | Resource | Why We Need It |
|---|---|---|
ec2:Describe* | * | Describe all EC2 resources including instances, volumes, snapshots, reserved instances, and spot pricing for comprehensive compute analysis |
ebs:List* | * | List EBS snapshots and volumes for storage cost optimization |
autoscaling:Describe* | * | Describe Auto Scaling groups, policies, and scaling activities for capacity planning |
application-autoscaling:Describe* | * | Describe Application Auto Scaling targets for ECS, DynamoDB, and other services |
Containers & Kubernetes
| Permission | Resource | Why We Need It |
|---|---|---|
ecs:Describe* | * | Describe ECS clusters, services, tasks, and container instances for container cost analysis |
ecs:List* | * | List ECS resources across all clusters |
ecr:Describe* | * | Describe ECR repositories and images for storage cost tracking |
ecr:List* | * | List ECR repositories and image tags |
eks:list* | * | List EKS clusters and node groups for Kubernetes cost visibility |
Serverless
| Permission | Resource | Why We Need It |
|---|---|---|
lambda:ListFunctions | * | List all Lambda functions for serverless cost tracking |
lambda:ListProvisionedConcurrencyConfigs | * | List provisioned concurrency settings which significantly impact Lambda costs |
lambda:ListTags | * | List tags on Lambda functions for cost allocation |
Databases
| Permission | Resource | Why We Need It |
|---|---|---|
rds:Describe* | * | Describe RDS instances, clusters, snapshots, and reserved instances for database cost analysis |
rds:List* | * | List RDS resources and tags |
rds:CreateDBSnapshot | * | Create DB snapshots as part of backup optimization workflows |
dynamodb:Describe* | * | Describe DynamoDB tables, capacity modes, and backup settings for NoSQL cost optimization |
dynamodb:ListTables | * | List all DynamoDB tables across the account |
dynamodb:ListTagsOfResource | * | List tags on DynamoDB tables for cost allocation |
elasticache:Describe* | * | Describe ElastiCache clusters and reserved nodes for caching cost analysis |
elasticache:List* | * | List ElastiCache resources and tags |
redshift:Describe* | * | Describe Redshift clusters, reserved nodes, and snapshots for data warehouse cost optimization |
Storage
| Permission | Resource | Why We Need It |
|---|---|---|
s3:Describe* | * | Describe S3 storage lens and configurations |
s3:List* | * | List all buckets and objects for storage cost analysis |
s3:GetAccelerateConfiguration | * | Check if transfer acceleration is enabled which adds cost |
s3:GetBucketVersioning | * | Check versioning status which impacts storage costs |
s3:GetLifecycleConfiguration | * | Get lifecycle rules to analyze storage optimization opportunities |
backup:List* | * | List AWS Backup plans, vaults, and jobs for backup cost tracking |
Networking & CDN
| Permission | Resource | Why We Need It |
|---|---|---|
cloudfront:GetDistribution | * | Get CloudFront distribution details for CDN cost analysis |
cloudfront:GetDistributionConfig | * | Get distribution configuration to identify optimization opportunities |
cloudfront:ListDistributions | * | List all CloudFront distributions |
cloudfront:GetCachePolicyConfig | * | Get cache policy settings that affect origin requests and costs |
elasticloadbalancing:Describe* | * | Describe load balancers, target groups, and listeners for networking cost analysis |
route53:ListHostedZones | * | List Route 53 hosted zones for DNS cost tracking |
route53:ListHostedZonesByName | * | List hosted zones by domain name for easier identification |
route53:ListResourceRecordSets | * | List DNS records to analyze query volumes and costs |
Analytics & Search
| Permission | Resource | Why We Need It |
|---|---|---|
es:Describe* | * | Describe OpenSearch/Elasticsearch domains for search service cost analysis |
es:List* | * | List OpenSearch domains and tags |
kafka:Describe* | * | Describe MSK clusters and configurations for streaming cost analysis |
kafka:List* | * | List Kafka clusters and topics |
AI/ML
| Permission | Resource | Why We Need It |
|---|---|---|
sagemaker:ListTrainingJobs | * | List SageMaker training jobs for ML cost tracking |
sagemaker:DescribeTrainingJob | * | Get training job details including instance types and duration for cost analysis |
bedrock:InvokeModel | * | Invoke Bedrock foundation models for Wiv's AI-powered features and recommendations |
Monitoring & Logging
| Permission | Resource | Why We Need It |
|---|---|---|
cloudwatch:Describe* | * | Describe CloudWatch alarms and dashboards |
cloudwatch:Get* | * | Get metrics data for usage analysis and rightsizing recommendations |
cloudwatch:List* | * | List metrics, dashboards, and alarms |
logs:DescribeLogGroups | * | List CloudWatch Log Groups to identify logging costs and optimization opportunities |
cloudtrail:Describe* | * | Describe CloudTrail trails and their configurations |
cloudtrail:Get* | * | Get trail configurations and event selectors |
cloudtrail:List* | * | List trails and tags |
cloudtrail:LookupEvents | * | Query CloudTrail events to track resource changes and identify cost-impacting actions |
Config & Compliance
| Permission | Resource | Why We Need It |
|---|---|---|
config:Describe* | * | Describe AWS Config rules and configuration recorders |
config:Get* | * | Get resource configurations and compliance status |
config:List* | * | List Config resources, rules, and aggregators |
Other Services
| Permission | Resource | Why We Need It |
|---|---|---|
kms:List* | * | List KMS keys to track encryption-related costs |
servicequotas:ListServiceQuotas | * | List service quotas for capacity planning and limit monitoring |
servicequotas:ListServices | * | List all services with quotas |
savingsplans:DescribeSavingsPlansOfferings | * | Get available Savings Plans offerings to generate purchase recommendations |
Tagging
| Permission | Resource | Why We Need It |
|---|---|---|
tag:GetResources | * | Get resources by tag for cost allocation and chargeback |
tag:GetTagKeys | * | List all tag keys in use across the account |
tag:GetTagValues | * | Get values for specific tag keys for filtering and grouping |
Athena
| Permission | Resource | Why We Need It |
|---|---|---|
athena:StartQueryExecution | {AthenaARN} | Execute SQL queries against CUR data for detailed cost analysis |
athena:GetQueryExecution | {AthenaARN} | Check query execution status and progress |
athena:GetQueryResults | {AthenaARN} | Retrieve query results for reporting and dashboards |
CloudFormation StackSets
| Permission | Resource | Why We Need It |
|---|---|---|
cloudformation:CreateStackInstances | arn:aws:cloudformation:*:{AccountId}:stackset-target/*WivOrgStackSet* | Deploy the Wiv role to member accounts in the organization |
cloudformation:CreateStackInstances | arn:aws:cloudformation:*:{AccountId}:stackset/*WivOrgStackSet* | Create new stack instances from the StackSet definition |
cloudformation:DescribeStackSetOperation | arn:aws:cloudformation:*:{AccountId}:stackset-target/*WivOrgStackSet* | Monitor deployment progress to member accounts |
cloudformation:DescribeStackSetOperation | arn:aws:cloudformation:*:{AccountId}:stackset/*WivOrgStackSet* | Check status of StackSet operations |
cloudformation:CreateStackInstances | arn:aws:cloudformation:us-east-1::type/resource/AWS-IAM-Role | Permission to provision IAM Role resources in member accounts |
cloudformation:CreateStackInstances | arn:aws:cloudformation:us-east-1::type/resource/AWS-IAM-Group | Permission to provision IAM Group resources in member accounts |
cloudformation:CreateStackInstances | arn:aws:cloudformation:us-east-1::type/resource/AWS-IAM-Policy | Permission to provision IAM Policy resources in member accounts |
cloudformation:CreateStackInstances | arn:aws:cloudformation:us-east-1::type/resource/AWS-CloudFormation-CustomResource | Permission to provision Custom Resources in member accounts |
cloudformation:CreateStackInstances | arn:aws:cloudformation:us-east-1::type/resource/AWS-S3-Bucket | Permission to provision S3 Bucket resources in member accounts |
cloudformation:CreateStackInstances | arn:aws:cloudformation:us-east-1::type/resource/AWS-Lambda-Function | Permission to provision Lambda Function resources in member accounts |
Glue
| Permission | Resource | Why We Need It |
|---|---|---|
glue:* | arn:aws:glue:{Region}:{AccountId}:catalog | Full access to Glue Data Catalog for managing CUR data schema |
glue:* | arn:aws:glue:{Region}:{AccountId}:database/wivdb | Manage the wivdb database where CUR tables are stored |
glue:* | arn:aws:glue:{Region}:{AccountId}:table/wivdb/* | Manage all tables in wivdb including partitions for Athena queries |
glue:* | arn:aws:glue:{Region}:{AccountId}:userDefinedFunction/wivdb/* | Manage user-defined functions for custom data transformations |
OrganizationRetrievalPolicy
| Permission | Resource | Why We Need It |
|---|---|---|
iam:ListAccountAliases | * | Retrieve friendly account alias names to display in Wiv dashboard instead of account IDs |
organizations:DescribeOrganization | * | Get organization ID, master account, and enabled features for org-level context |
organizations:ListAccounts | * | Enumerate all member accounts in the organization for multi-account cost visibility |
EventbridgePolicy
EventBridge Rules
| Permission | Resource | Condition | Why We Need It |
|---|---|---|---|
events:PutRule | * | Tag Wiv-Infrastructure: true | Create EventBridge rules for scheduled cost reports and event-driven workflows |
events:PutTargets | * | Tag Wiv-Infrastructure: true | Add targets (API destinations, Lambda) to EventBridge rules |
events:RemoveTargets | * | Tag Wiv-Infrastructure: true | Remove targets from rules during updates or reconfiguration |
events:DeleteRule | * | Tag Wiv-Infrastructure: true | Delete EventBridge rules during cleanup or disconnection |
events:TagResource | * | Request tag Wiv-Infrastructure: true | Apply Wiv tags to EventBridge resources for identification and management |
API Destinations
| Permission | Resource | Why We Need It |
|---|---|---|
events:CreateApiDestination | * | Create HTTP API endpoints to send events to Wiv's backend for real-time data |
events:InvokeApiDestination | * | Call the API destination endpoints to deliver event data to Wiv |
events:DeleteApiDestination | * | Remove API destinations during cleanup or reconfiguration |
events:DescribeApiDestination | * | View API destination configuration and invocation status |
events:CreateConnection | * | Create authenticated connections with credentials for secure API calls |
events:DescribeConnection | * | View connection details and authentication status |
Secrets Manager
| Permission | Resource | Why We Need It |
|---|---|---|
secretsmanager:CreateSecret | arn:aws:secretsmanager:*:{AccountId}:secret:events!connection/* | Create secrets to store EventBridge connection credentials securely |
secretsmanager:PutSecretValue | arn:aws:secretsmanager:*:{AccountId}:secret:events!connection/* | Store API credential values in secrets |
secretsmanager:UpdateSecret | arn:aws:secretsmanager:*:{AccountId}:secret:events!connection/* | Update credentials when they rotate or change |
secretsmanager:GetSecretValue | arn:aws:secretsmanager:*:{AccountId}:secret:events!connection/* | Retrieve credentials for API authentication |
secretsmanager:DeleteSecret | arn:aws:secretsmanager:*:{AccountId}:secret:events!connection/* | Remove secrets during cleanup |
secretsmanager:DescribeSecret | arn:aws:secretsmanager:*:{AccountId}:secret:events!connection/* | View secret metadata and rotation configuration |
IAM - Self Role Management
| Permission | Resource | Why We Need It |
|---|---|---|
iam:PassRole | WivAccessRole ARN | Allow EventBridge and other services to assume this role when invoking targets |
iam:PutRolePolicy | WivAccessRole ARN | Add inline policies to the role dynamically for EventBridge setup |
iam:ListAttachedRolePolicies | WivAccessRole ARN | List managed policies attached to verify role configuration |
iam:ListRolePolicies | WivAccessRole ARN | List inline policies to check existing permissions |
iam:GetRolePolicy | WivAccessRole ARN | Read inline policy documents to verify configuration |
IAM - Service Linked Role
| Permission | Resource | Condition | Why We Need It |
|---|---|---|---|
iam:CreateServiceLinkedRole | ...AWSServiceRoleForAmazonEventBridgeApiDestinations | Service: apidestinations.events.amazonaws.com | Create the AWS-managed service-linked role required for API Destinations to function |
iam:AttachRolePolicy | ...AWSServiceRoleForAmazonEventBridgeApiDestinations | None | Attach managed policies to the EventBridge service-linked role |
iam:PutRolePolicy | ...AWSServiceRoleForAmazonEventBridgeApiDestinations | None | Add inline policies to the EventBridge service-linked role |
Summary by Category
| Category | Permission Count | Why We Need It |
|---|---|---|
| S3 (CUR Bucket) | 2 | Read and manage Cost and Usage Report data |
| Account & Billing | 9 | Access billing, invoicing, payments, and tax information |
| Cost Explorer & CUR | 6 | Query cost data, forecasts, and anomaly detection |
| Compute Optimizer | 2 | Get rightsizing recommendations |
| Trusted Advisor | 11 | Access optimization checks and recommendations |
| EC2 & Compute | 4 | Analyze compute resources and auto scaling |
| Containers & Kubernetes | 5 | Track ECS, ECR, and EKS costs |
| Serverless | 3 | Monitor Lambda functions and provisioned concurrency |
| Databases | 9 | Analyze RDS, DynamoDB, ElastiCache, Redshift costs |
| Storage | 6 | Track S3, EBS, and backup costs |
| Networking & CDN | 8 | Analyze CloudFront, ELB, and Route 53 costs |
| Analytics & Search | 4 | Monitor OpenSearch and MSK costs |
| AI/ML | 3 | Track SageMaker costs and power Wiv AI features |
| Monitoring & Logging | 8 | Access CloudWatch metrics and CloudTrail events |
| Config & Compliance | 3 | Get resource configurations |
| Other Services | 3 | Track KMS, quotas, and Savings Plans |
| Tagging | 3 | Enable cost allocation by tags |
| Athena | 3 | Query CUR data with SQL |
| CloudFormation | 10 | Deploy Wiv role to member accounts via StackSets |
| Glue | 4 | Manage CUR data catalog for Athena |
| Organizations | 3 | List and identify accounts |
| EventBridge | 11 | Set up real-time event integration |
| Secrets Manager | 6 | Manage API credentials securely |
| IAM | 8 | Self-manage role and create service-linked roles |
| Total | ~125 | Complete FinOps visibility and automation |
AWS IAM Permissions Table - WivAccessRole For Payer Account
CrossAccountRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: WivAccessRole
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${WivAccount}:root
Action: 'sts:AssumeRole'
Condition:
StringEquals:
'sts:ExternalId': !Ref ExternalId
- Effect: Allow
Principal:
Service: events.amazonaws.com
Action: sts:AssumeRole
- Effect: Allow
Principal:
Service: apidestinations.events.amazonaws.com
Action: sts:AssumeRole
Tags:
- Key: 'Wiv'
Value: !Join
- ''
- - 'Wiv-Infrastructure'
- Key: 'Wiv:originalResourceId'
Value: 'Payer-Role-Stack'
WivPayerAccessPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: WivPayerAccessPolicy
Roles:
- !Ref CrossAccountRole
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: 's3:*'
Resource:
- !Join
- ''
- - 'arn:aws:s3:::'
- wiv-cur-
- !Ref 'AWS::AccountId'
- !Join
- ''
- - 'arn:aws:s3:::'
- wiv-cur-
- !Ref 'AWS::AccountId'
- /*
- Effect: Allow
Action:
- account:GetAccountInformation
- billing:Get*
- cloudfront:GetDistribution
- cloudfront:GetDistributionConfig
- cloudfront:ListDistributions
- cloudtrail:Describe*
- cloudtrail:Get*
- cloudtrail:List*
- cloudwatch:Describe*
- cloudwatch:Get*
- cloudwatch:List*
- compute-optimizer:Describe*
- compute-optimizer:Get*
- config:Describe*
- config:Get*
- config:List*
- consolidatedbilling:Get*
- consolidatedbilling:List*
- cur:Get*
- dynamodb:Describe*
- dynamodb:ListTables
- dynamodb:ListTagsOfResource
- dynamodb:describe*
- ebs:List*
- ec2:Describe*
- ecs:Describe*
- ecs:List*
- ecr:Describe*
- ecr:List*
- elasticache:Describe*
- elasticache:List*
- elasticloadbalancing:Describe*
- es:Describe*
- es:List*
- invoicing:List*
- kafka:Describe*
- kafka:List*
- kms:List*
- lambda:ListFunctions
- lambda:ListProvisionedConcurrencyConfigs
- lambda:ListTags
- logs:DescribeLogGroups
- payments:Get*
- payments:List*
- rds:Describe*
- rds:List*
- redshift:Describe*
- s3:Describe*
- s3:GetAccelerateConfiguration
- s3:GetBucketVersioning
- s3:GetLifecycleConfiguration
- s3:List*
- savingsplans:DescribeSavingsPlansOfferings
- servicequotas:ListServiceQuotas
- servicequotas:ListServices
- support:Describe*
- support:DescribeTrustedAdvisorCheckResult
- support:DescribeTrustedAdvisorChecks
- support:RefreshTrustedAdvisorCheck
- tag:GetResources
- tag:GetTagKeys
- tax:Get*
- tax:List*
- trustedadvisor:Describe*
- trustedadvisor:ExcludeCheckItems
- trustedadvisor:GenerateReport
- trustedadvisor:Get*
- trustedadvisor:IncludeCheckItems
- trustedadvisor:List*
- trustedadvisor:RefreshCheck
- eks:list*
- cloudtrail:LookupEvents
- ce:Get*
- ce:List*
- ce:Describe*
- route53:ListHostedZones
- route53:ListHostedZonesByName
- route53:ListResourceRecordSets
- tag:GetTagValues
- autoscaling:Describe*
- sagemaker:ListTrainingJobs
- sagemaker:DescribeTrainingJob
- sagemaker:ListTrainingJobs
- sagemaker:ListProcessingJobs
- sagemaker:DescribeProcessingJob
- sagemaker:ListTransformJobs
- sagemaker:DescribeTransformJob
- bedrock:InvokeModel
Resource: '*'
- Effect: Allow
Action:
- 'athena:StartQueryExecution'
- 'athena:GetQueryExecution'
- 'athena:GetQueryResults'
Resource: !Ref AthenaARN
- Effect: Allow
Action:
- 'cloudformation:CreateStackInstances'
- 'cloudformation:DescribeStackSetOperation'
Resource:
- !Join
- ''
- - 'arn:aws:cloudformation:*:'
- !Ref 'AWS::AccountId'
- ':stackset-target/*WivOrgStackSet*'
- !Join
- ''
- - 'arn:aws:cloudformation:*:'
- !Ref 'AWS::AccountId'
- ':stackset/*WivOrgStackSet*'
- Effect: Allow
Action:
- 'cloudformation:CreateStackInstances'
Resource:
- 'arn:aws:cloudformation:us-east-1::type/resource/AWS-IAM-Role'
- 'arn:aws:cloudformation:us-east-1::type/resource/AWS-IAM-Group'
- 'arn:aws:cloudformation:us-east-1::type/resource/AWS-IAM-Policy'
- 'arn:aws:cloudformation:us-east-1::type/resource/AWS-CloudFormation-CustomResource'
- 'arn:aws:cloudformation:us-east-1::type/resource/AWS-S3-Bucket'
- 'arn:aws:cloudformation:us-east-1::type/resource/AWS-Lambda-Function'
- Action: 'glue:*'
Effect: Allow
Resource:
- !Join
- ''
- - 'arn:aws:glue:'
- !Ref 'AWS::Region'
- ':'
- !Ref 'AWS::AccountId'
- ':catalog'
- !Join
- ''
- - 'arn:aws:glue:'
- !Ref 'AWS::Region'
- ':'
- !Ref 'AWS::AccountId'
- ':database/wivdb'
- !Join
- ''
- - 'arn:aws:glue:'
- !Ref 'AWS::Region'
- ':'
- !Ref 'AWS::AccountId'
- ':table/wivdb'
- /*
- !Join
- ''
- - 'arn:aws:glue:'
- !Ref 'AWS::Region'
- ':'
- !Ref 'AWS::AccountId'
- ':userDefinedFunction/wivdb'
- /*
OrganizationRetrievalPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: organization-retrieval
Roles:
- !Ref CrossAccountRole
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- 'iam:ListAccountAliases'
- 'organizations:DescribeOrganization'
- 'organizations:ListAccounts'
Resource: '*'
EventbridgePolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: eventbridge
Roles:
- !Ref CrossAccountRole
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- events:PutRule
- events:PutTargets
- events:RemoveTargets
Resource: '*'
Condition:
StringEquals:
"aws:ResourceTag/Wiv-Infrastructure": "true"
- Effect: Allow
Action:
- events:TagResource
Resource: '*'
Condition:
StringEquals:
"aws:RequestTag/Wiv-Infrastructure": "true"
- Effect: Allow
Action:
- events:CreateApiDestination
- events:InvokeApiDestination
- events:CreateConnection
- events:DeleteApiDestination
- events:DescribeConnection
- events:DescribeApiDestination
Resource: '*'
- Effect: Allow
Action:
- secretsmanager:CreateSecret
- secretsmanager:PutSecretValue
- secretsmanager:UpdateSecret
- secretsmanager:GetSecretValue
- secretsmanager:DeleteSecret
- secretsmanager:DescribeSecret
Resource:
- !Join
- ''
- - 'arn:aws:secretsmanager:*:'
- !Ref 'AWS::AccountId'
- ':secret:events!connection/*'
- Effect: Allow
Action:
- iam:PassRole
Resource: !GetAtt CrossAccountRole.Arn
- Effect: Allow
Action:
- iam:CreateServiceLinkedRole
Resource:
- !Join
- ''
- - 'arn:aws:iam::'
- !Ref 'AWS::AccountId'
- ':role/aws-service-role/events.amazonaws.com/AWSServiceRoleForEventBridge'
- Effect: Allow
Action:
- events:DeleteRule
Resource: '*'
Condition:
StringEquals:
"aws:ResourceTag/Wiv-Infrastructure": "true"AWS IAM Permissions Table - WivAccessRole For Linked Accounts
"CrossAccountRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "WivAccessRole",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Sub": "arn:aws:iam::${WivAccount}:root"
}
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": {
"Ref": "ExternalId"
}
}
}
},
{
"Effect": "Allow",
"Principal": {
"Service": [
"events.amazonaws.com",
"apidestinations.events.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
},
"Tags": [
{
"Key": "Wiv",
"Value": "Wiv-Infrastructure"
},
{
"Key": "WivOriginalResourceId",
"Value": "Org-Role-Stack"
}
]
}
},
"WivCoreAccessPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "WivCoreAccessPolicy",
"Roles": [
{
"Ref": "CrossAccountRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"account:GetAccountInformation",
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:StartQueryExecution",
"billing:Get*",
"cloudfront:GetDistribution",
"cloudfront:GetDistributionConfig",
"cloudfront:ListDistributions",
"cloudfront:GetCachePolicyConfig",
"cloudfront:listtagsforresource",
"cloudtrail:Describe*",
"cloudtrail:Get*",
"cloudtrail:List*",
"cloudtrail:LookupEvents",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"compute-optimizer:Describe*",
"compute-optimizer:Get*",
"config:Describe*",
"config:Get*",
"config:List*",
"consolidatedbilling:Get*",
"consolidatedbilling:List*",
"cur:Get*",
"dynamodb:Describe*",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
"ebs:List*",
"ec2:Describe*",
"ecs:Describe*",
"ecs:List*",
"ecr:Describe*",
"ecr:List*",
"eks:DescribeCluster",
"eks:List*",
"elasticache:Describe*",
"elasticache:List*",
"elasticloadbalancing:Describe*",
"es:Describe*",
"es:List*",
"events:InvokeApiDestination",
"invoicing:List*",
"kafka:Describe*",
"kafka:List*",
"kms:List*",
"lambda:ListFunctions",
"lambda:ListProvisionedConcurrencyConfigs",
"lambda:ListTags",
"logs:DescribeLogGroups",
"payments:Get*",
"payments:List*",
"rds:Describe*",
"rds:CreateDBSnapshot",
"rds:List*",
"redshift:Describe*",
"route53:ListHostedZones",
"route53:ListHostedZonesByName",
"route53:ListResourceRecordSets",
"s3:Describe*",
"s3:GetAccelerateConfiguration",
"s3:GetBucketVersioning",
"s3:GetLifecycleConfiguration",
"s3:List*",
"savingsplans:DescribeSavingsPlansOfferings",
"servicequotas:ListServiceQuotas",
"servicequotas:ListServices",
"support:Describe*",
"support:DescribeTrustedAdvisorCheckResult",
"support:DescribeTrustedAdvisorChecks",
"support:RefreshTrustedAdvisorCheck",
"tag:GetResources",
"tag:GetTagKeys",
"tag:GetTagValues",
"tax:Get*",
"tax:List*",
"trustedadvisor:Describe*",
"trustedadvisor:ExcludeCheckItems",
"trustedadvisor:GenerateReport",
"trustedadvisor:Get*",
"trustedadvisor:IncludeCheckItems",
"trustedadvisor:List*",
"trustedadvisor:RefreshCheck",
"autoscaling:Describe*",
"ce:Get*",
"ce:List*",
"ce:Describe*",
"ce:CreateAnomalySubscription",
"ce:TagResource",
"backup:List*",
"application-autoscaling:Describe*",
"fsx:Describe*",
"fsx:List*",
"elasticfilesystem:DescribeBackupPolicy",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeFileSystemPolicy",
"elasticfilesystem:DescribeLifecycleConfiguration",
"elasticfilesystem:DescribeTags",
"elasticfilesystem:ListTagsForResource",
"agemaker:ListTrainingJobs",
"sagemaker:DescribeTrainingJob",
"sagemaker:ListTrainingJobs",
"sagemaker:DescribeTrainingJob",
"sagemaker:ListProcessingJobs",
"sagemaker:DescribeProcessingJob",
"sagemaker:ListTransformJobs",
"sagemaker:DescribeTransformJob",
"bedrock:InvokeModel"
],
"Resource": "*"
}
]
}
}
},
"OrganizationRetrievalPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "OrganizationRetrievalPolicy",
"Roles": [
{
"Ref": "CrossAccountRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListAccountAliases",
"organizations:DescribeOrganization",
"organizations:ListAccounts"
],
"Resource": "*"
}
]
}
}
},
"EventbridgePolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "EventbridgePolicy",
"Roles": [
{
"Ref": "CrossAccountRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"events:PutRule",
"events:PutTargets",
"events:CreateApiDestination",
"events:InvokeApiDestination",
"events:CreateConnection",
"events:DeleteApiDestination",
"events:RemoveTargets",
"events:TagResource",
"events:CreateConnection",
"events:DescribeConnection",
"events:DescribeApiDestination"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:CreateSecret",
"secretsmanager:PutSecretValue",
"secretsmanager:UpdateSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:DeleteSecret",
"secretsmanager:DescribeSecret"
],
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:secretsmanager:*:",
{
"Ref": "AWS::AccountId"
},
":secret:events!connection/*"
]
]
}
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": {
"Fn::GetAtt": [
"CrossAccountRole",
"Arn"
]
}
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/aws-service-role/events.amazonaws.com/AWSServiceRoleForAmazonEventBridgeApiDestinations"
]
]
},
"Condition": {
"StringLike": {
"iam:AWSServiceName": "apidestinations.events.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:PutRolePolicy"
],
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "AWS::AccountId"
},
":role/aws-service-role/apidestinations.events.amazonaws.com/AWSServiceRoleForAmazonEventBridgeApiDestinations"
]
]
}
},
{
"Effect": "Allow",
"Action": "events:DeleteRule",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Wiv-Infrastructure": "true"
}
}
}
]
}
}
}
}Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article