Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Enable Stack sets service in AWS Organization management account

Template for Zilla-IAM-Reader-Role

AWSTemplateFormatVersion: 2010-09-09
Description: 'Zilla IAM Reader Role to sync an aws account'
Parameters:
  ZillaIAMReaderRoleName:
    Type: String
    Description: 'Provide a role name (Example: Zilla-IAM-Reader-Role)'
    AllowedPattern: '[-_a-zA-Z0-9]*'
    Default: Zilla-IAM-Reader-Role
  ZillaExternalID:
    Type: String
    Description: 'Provide an ExternalID (Example: Xoih821ddwf)'
    MinLength: '1'
    AllowedPattern: '[a-zA-Z0-9\=\,\.\@\:\/\-_]*'
    Default: zillasecurity.com
    ConstraintDescription: >-
      ExternalID must contain alphanumeric characters and only these special
      characters are allowed =,.@:/-. 
  ZillaAccountId:
    Description: >-
      Zilla AWS account ID that is allowed to assume this IAM role. Avoid
      changing!
    Type: String
    Default: '087210011007'
Resources:
  ZillaIAMRole:
    Type: 'AWS::IAM::Role'
    DeletionPolicy: 'Retain'
    Properties:
      RoleName: !Ref ZillaIAMReaderRoleName
      Description: 'IAM Role to allow Zilla AWS account read access to IAM service of this account.'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/SecurityAudit'
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub 
                - 'arn:aws:iam::${ZillaAccountId}:root'
                - ZillaAWSAccountId: !Ref ZillaAccountId
            Action:
              - 'sts:AssumeRole'
            Condition:
              StringEquals:
                'sts:ExternalId': !Ref ZillaExternalID
Metadata:
  'AWS::CloudFormation::Interface':
    ParameterGroups:
      - Label:
          default: Zilla Account Information
        Parameters:
          - ZillaIAMReaderRoleName
          - ZillaExternalID
Outputs:
    ZillaIAMReaderRoleARN:
      Value: !GetAtt ZillaIAMRole.Arn
      Description: Zilla IAM Reader Role ARN

Template for Zilla-SSO-Reader-Role

AWSTemplateFormatVersion: 2010-09-09
Description: 'Zilla SSO Reader Role to sync SSO users, groups and permission sets'
Parameters:
  ZillaSSOReaderRoleName:
    Type: String
    Description: 'Provide a role name (Example: Zilla-SSO-Reader-Role)'
    AllowedPattern: '[-_a-zA-Z0-9]*'
    Default: Zilla-SSO-Reader-Role
  ZillaExternalID:
    Type: String
    Description: 'Provide an ExternalID (Example: Xoih821ddwf)'
    MinLength: '1'
    AllowedPattern: '[a-zA-Z0-9\=\,\.\@\:\/\-_]*'
    Default: zillasecurity.com
    ConstraintDescription: >-
      ExternalID must contain alphanumeric characters and only these special
      characters are allowed =,.@:/-. 
  ZillaAccountId:
    Description: >-
      Zilla AWS account ID that is allowed to assume this IAM role. Avoid
      changing!
    Type: String
    Default: '087210011007'
Resources:
  ZillaIAMRole:
    Type: 'AWS::IAM::Role'
    DeletionPolicy: 'Retain'
    Properties:
      RoleName: !Ref ZillaSSOReaderRoleName
      Description: 'IAM Role to allow Zilla to read SSO Users, Groups and Permission Sets.'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/AWSSSOReadOnly'
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub 
                - 'arn:aws:iam::${ZillaAccountId}:root'
                - ZillaAWSAccountId: !Ref ZillaAccountId
            Action:
              - 'sts:AssumeRole'
            Condition:
              StringEquals:
                'sts:ExternalId': !Ref ZillaExternalID
      Policies:
          - PolicyName: zilla-sso-reader-policy
            PolicyDocument:
              Version: '2012-10-17'
              Statement:
                - Effect: Allow
                  Resource: '*'
                  Action:
                    - identitystore:Describe*
                    - identitystore:List*
    Metadata:
      'AWS::CloudFormation::Designer':
        id: a1259fc6-a6fe-4e2d-af45-7299bdcf7bc8
Metadata:
  'AWS::CloudFormation::Interface':
    ParameterGroups:
      - Label:
          default: Zilla Account Information
        Parameters:
          - ZillaSSOReaderRoleName
          - ZillaExternalID
Outputs:
    ZillaSSOReaderRoleARN:
      Value: !GetAtt ZillaIAMRole.Arn
      Description: Zilla SSO Reader Role ARN

Create stack set for Zilla-IAM-Reader-Role

  1. Go to Cloudformation console. And go to Stack sets.

  2. Click on Create stack set. Select Service-managed permissions

  3. Select Template is ready . Copy the Zilla-IAM-Reader-Role Template in a yml file and upload the template file from local.

  4. Give name to the stack

  5. Check parameter values

  6. Click on Next

  7. Review the final details.

  8. Acknowledge the stack set creation and click on Submit.

Create stack for Zilla-IAM-Reader-Role in Management Account

  1. Go to Cloud formation stack and create stack

  2. Select Template is ready. And upload the Zilla-SSO-Reader-Role template as in a yml file from local.

  3. Give a name to the stack and add the parameter values.

  4. Review the details and create the stack.

Create stack for Zilla-SSO-Reader-Role in Management Account

  1. Go to Cloud formation stack and create stack

  2. Select Template is ready. And upload the Zilla-SSO-Reader-Role template as in a yml file from local.

  3. Give a name to the stack and add the parameter values.

  4. Review the details and create the stack.

  • No labels