{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Creates the StrategicBlueMasterAccountReader IAM role, which grants Strategic Blue Services Ltd. permission to read billing data on this account.", "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Role-Based Access Control" }, "Parameters": [ "TrustedAccountId", "TrustingAccountId", "RbacExternalId" ] }, { "Label": { "default": "Billing Data Access" }, "Parameters": [ "BillingBucketName" ] } ], "ParameterLabels": { "TrustedAccountId": { "default": "Trusted Account ID" }, "TrustingAccountId": { "default": "Trusting Account ID" }, "RbacExternalId": { "default": "External ID" }, "BillingBucketName": { "default": "Billing Bucket Name" } } } }, "Parameters": { "TrustedAccountId": { "Description": "The trusted AWS account (Strategic Blue account).", "Type": "String", "MinLength": "12", "MaxLength": "12", "AllowedPattern": "^[0-9]{12}$", "ConstraintDescription": "AWS Account ID must be 12 digits" }, "TrustingAccountId": { "Description": "The trusting AWS account (this account).", "Type": "String", "MinLength": "12", "MaxLength": "12", "AllowedPattern": "^[0-9]{12}$", "ConstraintDescription": "AWS Account ID must be 12 digits" }, "BillingBucketName": { "Description": "The name of the bucket containing the Cost and Usage Reports for this account.", "Type": "String", "MinLength": "1", "MaxLength": "63", "AllowedPattern": "^([0-9a-z][0-9a-z.-]+[0-9a-z]|[0-9a-z][0-9a-z.-]+\\*|[0-9a-z]\\*|\\*)$", "ConstraintDescription": "Bucket name must conform to AWS bucket restrictions https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html" }, "RbacExternalId": { "Description": "The External ID (provided by Strategic Blue) required to assume the role.", "Type": "String", "MinLength": "36", "MaxLength": "36", "AllowedPattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", "ConstraintDescription": "External ID must be valid GUID of the form aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" } }, "Rules": { "expectedAccount": { "Assertions": [ { "Assert": { "Fn::Equals": [ { "Ref": "TrustingAccountId" }, { "Ref": "AWS::AccountId" } ] }, "AssertDescription": "The trusting account should match the current logged-in account." } ] } }, "Resources": { "MasterReaderRole": { "Type": "AWS::IAM::Role", "Properties": { "RoleName": "StrategicBlueMasterAccountReader", "Description": "Allows Strategic Blue apps to read billing data from this account.", "Path": "/", "MaxSessionDuration": 43200, "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": { "Ref": "TrustedAccountId" } }, "Condition": { "StringEquals": { "sts:ExternalId": { "Ref": "RbacExternalId" } } }, "Action": [ "sts:AssumeRole" ] } ] } } }, "MasterReaderPolicy": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "StrategicBlueMasterAccountReadAccess", "Roles": [ { "Ref": "MasterReaderRole" } ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "DiscoverLinkedAccountInformation", "Effect": "Allow", "Action": [ "organizations:ListAccounts", "organizations:ListTagsForResource" ], "Resource": "*" }, { "Sid": "DiscoverCurInformation", "Effect": "Allow", "Action": [ "cur:DescribeReportDefinitions", "bcm-data-exports:GetExport", "bcm-data-exports:ListExports", "bcm-data-exports:GetExecution", "bcm-data-exports:ListExecutions" ], "Resource": "*" }, { "Sid": "ReadBillingBucket", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetBucketVersioning", "s3:GetBucketLocation", "s3:ListBucket" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${BUCKET}", { "BUCKET": { "Ref": "BillingBucketName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${BUCKET}/*", { "BUCKET": { "Ref": "BillingBucketName" } } ] } ] } ] } } } } }