AWSTemplateFormatVersion: 2010-09-09
Description: This CloudFormation template allows Ermetic SaaS to establish trust i.e. perform actions (as per permissions policy) with this managed account
Parameters:
  ErmeticSaaSAccountId:
    Description: 12 digit AWS Account ID of Ermetic SaaS. Ermetic SaaS establishes trust with managed accounts to perform actions as defined by a permissions policy.
    Type: String
    Default: '081802104111'
Resources:
  ErmeticSecurityMember:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              AWS:
                - !Sub 'arn:${AWS::Partition}:iam::${ErmeticSaaSAccountId}:root'
            Action: 
              - sts:AssumeRole
      Policies:
        - PolicyName: ErmeticLifecycleLambdaPolicy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Sid: '1'
                Action:                
                  - 's3:GetObject'
                  - 'autoscaling:Describe*'
                  - 'batch:Describe*'
                  - 'batch:List*'
                  - 'cloudformation:Describe*'
                  - 'cloudformation:List*'
                  - 'cloudtrail:Describe*'
                  - 'cloudtrail:Get*'
                  - 'cloudtrail:List*'
                  - 'cloudtrail:LookupEvents'
                  - 'cloudwatch:Describe*'
                  - 'cloudwatch:GetMetric*'
                  - 'cloudwatch:ListMetrics'
                  - 'config:Describe*'
                  - 'dynamodb:Describe*'
                  - 'dynamodb:List*'
                  - 'ec2:Describe*'
                  - 'ecr:Describe*'
                  - 'ecr:GetRepositoryPolicy'
                  - 'ecr:StartImageScan'
                  - 'ecr:List*'
                  - 'ecr-public:Describe*'
                  - 'ecr-public:GetRepositoryPolicy'
                  - 'ecr-public:List*'
                  - 'ecs:Describe*'
                  - 'ecs:List*'
                  - 'eks:Describe*'
                  - 'eks:List*'
                  - 'elasticache:Describe*'
                  - 'elasticache:List*'
                  - 'elasticbeanstalk:Describe*'
                  - 'elasticbeanstalk:List*'
                  - 'elasticloadbalancing:Describe*'
                  - 'es:Describe*'
                  - 'es:List*'
                  - 'iam:Generate*'
                  - 'iam:Get*'
                  - 'iam:List*'
                  - 'identitystore:Describe*'
                  - 'kms:Describe*'
                  - 'kms:GetKey*'
                  - 'kms:List*'
                  - 'lambda:Get*Policy'
                  - 'lambda:List*'
                  - 'logs:Describe*'
                  - 'organizations:Describe*'
                  - 'organizations:List*'
                  - 'redshift:Describe*'
                  - 'redshift:List*'
                  - 'rds:Describe*'
                  - 'rds:List*'
                  - 's3:Describe*'
                  - 's3:GetAccessPoint*'
                  - 's3:GetAccountPublicAccessBlock'
                  - 's3:GetBucket*'
                  - 's3:GetEncryptionConfiguration'
                  - 's3:GetJobTagging'
                Effect: Allow
                Resource: '*'
      RoleName: IAM_R_ERMETIC_SECURITY_XA
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/SecurityAudit