Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- AWSTemplateFormatVersion: 2010-09-09
- Description: >-
- Provision EC2 instance running Qualys scanner + associated role for auditor
- Parameters:
- AuditorAccountId:
- Description: AccountId of auditor
- Type: String
- AuditorStsExternalId:
- Description: ExternalId of auditor
- Type: String
- VpcName:
- Description: Name of VPC where the scanner instance was deployed
- Type: String
- ScannerInstanceIP:
- Description: IPv4 address of Qualys scanner instance
- Type: String
- Department:
- Description: The department for this resource (i.e. Computational Oncology)
- Type: String
- Project:
- Description: The name of the project that this resource is used for (i.e. Resilience)
- Type: String
- OwnerEmail:
- Description: The owner's email address for this resource (i.e. jsmith@sagebase.org)
- Type: String
- Resources:
- AWSIAMSecurityAuditRole:
- Type: "AWS::IAM::Role"
- Properties:
- AssumeRolePolicyDocument:
- Version: "2012-10-17"
- Statement:
- -
- Effect: Allow
- Principal:
- AWS: !Sub
- - arn:aws:iam::${acctId}:root
- - { acctId: !Ref AuditorAccountId }
- Action:
- - sts:AssumeRole
- Condition: {
- StringEquals: {
- 'sts:ExternalId': !Ref AuditorStsExternalId
- }
- }
- Path: "/"
- ManagedPolicyArns:
- - arn:aws:iam::aws:policy/SecurityAudit
- ScannedInstancesSecurityGroup:
- Type: 'AWS::EC2::SecurityGroup'
- Properties:
- GroupDescription: 'Open all ports for incoming traffic'
- VpcId: !ImportValue
- 'Fn::Sub': '${AWS::Region}-${VpcName}-VPCId'
- SecurityGroupIngress:
- - CidrIp: !Sub
- - ${ip}/32
- - { ip: !Ref ScannerInstanceIP }
- FromPort: '-1'
- ToPort: '-1'
- IpProtocol: '-1'
- SecurityGroupEgress:
- - CidrIp: '0.0.0.0/0'
- FromPort: '-1'
- ToPort: '-1'
- IpProtocol: '-1'
- Outputs:
- SecurityGroup:
- Value: !Ref ScannedInstancesSecurityGroup
- Export:
- Name: !Sub '${AWS::Region}-${AWS::StackName}-ScanSecurityGroup'
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
