AWS CloudFormation For Creating Zilla-IAM-Reader-Role

Template for Zilla-IAM-Reader-Role

Save the below template in a file with extension .yml . For example zilla-iam-reader-role-template.yml .

AWSTemplateFormatVersion: 2010-09-09
Description: 'Zilla IAM Reader Role to sync an aws account'
Parameters:
  ZillaIAMReaderRoleName:
    Type: String
    Description: 'Provide a role name (Example: Zilla-IAM-Reader-Role)'
    AllowedPattern: '[-_a-zA-Z0-9]*'
    Default: Zilla-IAM-Reader-Role
  ZillaExternalID:
    Type: String
    Description: 'Provide an ExternalID (Example: Xoih821ddwf)'
    MinLength: '1'
    AllowedPattern: '[a-zA-Z0-9\=\,\.\@\:\/\-_]*'
    Default: zillasecurity.com
    ConstraintDescription: >-
      ExternalID must contain alphanumeric characters and only these special
      characters are allowed =,.@:/-. 
  ZillaAccountId:
    Description: >-
      Zilla AWS account ID that is allowed to assume this IAM role. Avoid
      changing!
    Type: String
    Default: '087210011007'
Resources:
  ZillaIAMRole:
    Type: 'AWS::IAM::Role'
    DeletionPolicy: 'Retain'
    Properties:
      RoleName: !Ref ZillaIAMReaderRoleName
      Description: 'IAM Role to allow Zilla AWS account read access to IAM service of this account.'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/SecurityAudit'
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub 
                - 'arn:aws:iam::${ZillaAccountId}:root'
                - ZillaAWSAccountId: !Ref ZillaAccountId
            Action:
              - 'sts:AssumeRole'
            Condition:
              StringEquals:
                'sts:ExternalId': !Ref ZillaExternalID
Metadata:
  'AWS::CloudFormation::Interface':
    ParameterGroups:
      - Label:
          default: Zilla Account Information
        Parameters:
          - ZillaIAMReaderRoleName
          - ZillaExternalID
Outputs:
    ZillaIAMReaderRoleARN:
      Value: !GetAtt ZillaIAMRole.Arn
      Description: Zilla IAM Reader Role ARN

Create stack for Zilla-IAM-Reader-Role

Go to CloudFormation stack and create stack. Click on With new resources (standard) under Create stack dropdown.
Select Template is ready and upload the zilla-iam-reader-role-template.yml from local. Click on Next .
Give a name to the stack and add the parameter values:
1. ZillaIAMReaderRoleName should be Zilla-IAM-Reader-Role.
2. ZillaExternalID should be your company domain name. For example: If your company’s domain name is acme-corp.com, then enter the value as acme-corp.com .
3. ZillaAccountId should be 087210011007
  Click on Next .
Click Next on Configuration stack options page.
Review the details and create the stack.
Check the status of the stack. Go to the Events tab. Wait for the Status to become CREATE_COMPLETE.
Go to the IAM console, On Roles page search for Zilla-IAM-Reader-Role. Copy the Role ARN for providing it in sync settings in Zilla.