LoginSignup
1

More than 5 years have passed since last update.

DeepSecurity のクロスアカウントロールを CloudFormation で

Posted at

[Deep Security] AWSアカウント連携をIAM Roleで設定する を CloudFormation でやるには

<account_id>公式ドキュメント を参照

---
AWSTemplateFormatVersion: '2010-09-09'

Parameters:
  ExternalId:
    Type: 'String'

Resources:
  DeepSecurityDelegationRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: 'Allow'
            Condition:
              StringEquals:
                'sts:ExternalId':
                  Ref: 'ExternalId'
            Principal:
              AWS:
                - 'arn:aws:iam::<account_id>:root'
            Action:
              - 'sts:AssumeRole'

  DeepSecurityAWSIntegrationPolicy:
    Type: 'AWS::IAM::ManagedPolicy'
    Properties:
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: 'Allow'
            Action:
            - 'ec2:DescribeImages'
            - 'ec2:DescribeInstances'
            - 'ec2:DescribeRegions'
            - 'ec2:DescribeSubnets'
            - 'ec2:DescribeTags'
            - 'ec2:DescribeVpcs'
            - 'iam:ListAccountAliases'
            Resource: '*'
      Roles:
        - Ref: 'DeepSecurityDelegationRole'

Outputs:
  RoleArn:
    Value:
      'Fn::GetAtt':
        - 'DeepSecurityDelegationRole'
        - 'Arn'

  ExternalId:
    Value:
      Ref: 'ExternalId'

DeepSecurity 側の画面で CloudFormation の Outputs で出力された RoleArnクロスアカウントロールのARNExternalId外部ID へ入力。

スクリーンショット 2017-06-16 14.18.21.png

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
1