AWSTemplateFormatVersion: 2010-09-09 Description: Create the AWS IAM role in each account for the IAM Credential Report Blog Post Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Role Attributes Parameters: - pIAMRoleName - pOrgPrimaryLambdaRoleArn - pTagKey1 - pTagValue1 ParameterLabels: pIAMRoleName: default: Credential Report IAM Role Name pOrgPrimaryLambdaRoleArn: default: Organization Primary Lambda Role Arn pTagKey1: default: Credential Report Role Tag Key pTagValue1: default: Credential Report Role Tag Key Value Parameters: pIAMRoleName: Type: String Description: IAM Role Name Default: iam-credential-report pOrgPrimaryLambdaRoleArn: Type: String Description: Organization Primary Account Lambda Role Arn pTagKey1: Type: String Description: Tag key Default: managed-by pTagValue1: Type: String Description: Tag key value Default: credential-cfn Resources: rIAMCredentialReportRole: Type: AWS::IAM::Role Metadata: cfn_nag: rules_to_suppress: - id: W11 reason: IAM role should not allow * resource on its permissions policy - id: F3 reason: IAM role should not allow * resource on its permissions policy Properties: RoleName: !Ref pIAMRoleName AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: AWS: !Ref pOrgPrimaryLambdaRoleArn Action: sts:AssumeRole Path: "/" Policies: - PolicyName: iam-credential-report-org-policy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - "iam:GenerateCredentialReport" - "iam:GetCredentialReport" Resource: "*" Tags: - Key: !Ref pTagKey1 Value: !Ref pTagValue1 Outputs: oIAMCredentialReportRole: Description: IAMCredentialReportRoleArn Value: !GetAtt rIAMCredentialReportRole.Arn