foundation-user-roles.yaml
---

User Roles CloudFormation Deployment

This CloudFormation template will deploy IAM roles for use by Users of this account.

AWSTemplateFormatVersion: '2010-09-09' Description: 'UITS Account Foundation: IAM User Roles'

Parameters

These are the input parameters for this template. All of these parameters must be supplied for this template to be deployed.

Parameters:

CloudFormation cannot create IAM Identity Providers, so it must be created before this teplate is run. Pass in the ARN of the created Shibboleth IDP here.

ShibbolethIDPARN: Description: Full ARN of the Shibboleth Identity Provider Default: arn:aws:iam::998687558142:saml-provider/UA_Shibboleth_IdP Type: String pAccountType: Description: Is this a Production account or a Non-Production account? Type: String AllowedValues: - Production - Non-Production Default: 'Non-Production' ExistingCloudFormationDeployerRole: Type: String Description: If the CloudFormation Deployer role already exists, pass its name in. BaseDeployerRoleArn: Description: Full ARN of the fdn-iam-RemoteDeployerRoleBase in the Base account. Default: arn:aws:iam::760232551367:role/fdn-iam-RemoteDeployerRoleBase Type: String UARootAccountNumber: Description: The AWS Account Number of the UA Root Organizational Master Account. Type: String

Conditions

Conditions: IsProdAccount: !Equals [!Ref pAccountType, 'Production'] IsNonProdAccount: !Equals [!Ref pAccountType, 'Non-Production']

CF didn't used to support RoleName properties. So for older accounts, the CFDeployerRole is something like "fdn-iam-CloudFormationAdminDeployerRole-12AJKX5827CDR". Once that role is in use in an account however, we can't change it, so we have to just deal with the legacy version of this role forever.

For new accounts, we can specify a RoleName of "fdn-CloudFormationAdminDeployer". The following condition is set up to detect what sort of account we're deploying into, and then specify a RoleName or not.

CFDeployerRoleV2: !Or - !Equals [!Ref ExistingCloudFormationDeployerRole, 'fdn-CloudFormationAdminDeployer'] - !Equals [!Ref ExistingCloudFormationDeployerRole, ''] Resources:

Sysadmin Role

The Sysadmin role/policy allows those users in the group access to almost everything in the account.

SysAdmin: Type: AWS::IAM::Role Properties: RoleName: fdn-SysAdmin AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole - Effect: Allow Principal: Federated: Ref: ShibbolethIDPARN Action: sts:AssumeRoleWithSAML Condition: StringEquals: SAML:aud: https://signin.aws.amazon.com/saml SysAdminProfile: Type: AWS::IAM::InstanceProfile DependsOn: SysAdmin Properties: Path: "/" Roles: - Ref: SysAdmin SysAdminGroup: Type: AWS::IAM::Group Properties: Path: "/"

The Sysadmin Policy For Production

SysAdminPolicyProduction: Type: AWS::IAM::ManagedPolicy Condition: IsProdAccount Properties: PolicyDocument: Version: '2012-10-17' Statement:

Allow ALL actions on any resource, with the exceptions of the IAM actions.

- Effect: Allow NotAction: iam:* Resource: "*"

Allow some IAM abilities

- Effect: Allow Action: - iam:PassRole - iam:GetAccountSummary - iam:GetInstanceProfile - iam:GetPolicy - iam:GetPolicyVersion - iam:GetRole - iam:GetRolePolicy - iam:GetServerCertificate - iam:GetUser - iam:GetUserPolicy - iam:ListAccountAliases - iam:ListPolicies - iam:ListPolicyVersions - iam:ListRoles - iam:ListRolePolicies - iam:ListInstanceProfiles - iam:ListInstanceProfilesForRole - iam:ListUsers Resource: "*"

Explicitly DENY access to the billing information

- Effect: Deny Action: aws-portal:*Billing Resource: "*"

Explicitly DENY access to certain CloudTrail actions

- Effect: Deny Action: - cloudtrail:DeleteTrail - cloudtrail:StopLogging - cloudtrail:UpdateTrail Resource: "*"

Explicitly ALLOW access to kms:CreateGrant.

- Effect: Allow Action: - kms:CreateGrant Resource: "*"

Explicitly DENY access to disable the KMS service, except for kms:Create*.

- Effect: Deny Action: - kms:Revoke* - kms:Enable* - kms:Get* - kms:Disable* - kms:Delete* - kms:Put* - kms:Update* Resource: "*" Roles: - Ref: SysAdmin Groups: - Ref: SysAdminGroup

The Sysadmin Policy For NonProduction

SysAdminPolicyNonProduction: Type: AWS::IAM::ManagedPolicy Condition: IsNonProdAccount Properties: PolicyDocument: Version: '2012-10-17' Statement:

Allow ALL actions on any resource, with the exceptions of the IAM actions.

- Effect: Allow NotAction: iam:* Resource: "*"

Allow some IAM abilities

- Effect: Allow Action: - iam:AddRoleToInstanceProfile - iam:AttachRolePolicy - iam:CreateInstanceProfile - iam:CreatePolicy - iam:CreatePolicyVersion - iam:CreateRole - iam:DeleteInstanceProfile - iam:DeletePolicy - iam:DeletePolicyVersion - iam:DeleteRole - iam:DeleteRolePolicy - iam:Get* - iam:List* - iam:PassRole - iam:PutRolePolicy - iam:RemoveRoleFromInstanceProfile - iam:SimulateCustomPolicy - iam:UploadServerCertificate Resource: "*"

Explicitly DENY access to certain CloudTrail actions

- Effect: Deny Action: - cloudtrail:DeleteTrail - cloudtrail:StopLogging - cloudtrail:UpdateTrail Resource: "*" Roles: - Ref: SysAdmin Groups: - Ref: SysAdminGroup

SysAdmin MFA Policy

This policy is only attached to the User Group, so will only apply to IAM users who have been added to the group, and not to SAML users logging in via the Role and Shibboleth.

SysAdminMFAPolicy: Type: AWS::IAM::ManagedPolicy Properties: PolicyDocument: Version: '2012-10-17' Statement:

Allow ALL IAM actions on any resource, with the exceptions of the IAM actions. Also enforces that the user MUST have MultiFactor authentication set up.

- Effect: Allow NotAction: iam:* Resource: "*" Condition: BoolIfExists: aws:MultiFactorAuthPresent: 'true' Groups: - Ref: SysAdminGroup

IAM Admin Role

The IAM Admin role/policy allows full access to all IAM actions.

IAMAdmin: Type: AWS::IAM::Role Properties: RoleName: fdn-IAMAdmin AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole - Effect: Allow Principal: Federated: Ref: ShibbolethIDPARN Action: sts:AssumeRoleWithSAML Condition: StringEquals: SAML:aud: https://signin.aws.amazon.com/saml IAMAdminGroup: Type: AWS::IAM::Group Properties: Path: "/" IAMAdminProfile: Type: AWS::IAM::InstanceProfile DependsOn: IAMAdmin Properties: Path: "/" Roles: - Ref: IAMAdmin IAMAdminPolicy: Type: AWS::IAM::ManagedPolicy Properties: PolicyDocument: Version: '2012-10-17' Statement:

Allow ALL IAM actions

- Effect: Allow Action: iam:* Resource: "*" - Effect: Deny Action: aws-portal:*Billing Resource: "*" Roles: - Ref: IAMAdmin Groups: - Ref: IAMAdminGroup

IAM MFA Policy

This policy is only attached to the User Group, so will only apply to IAM users who have been added to the group, and not to SAML users logging in via the Role and Shibboleth.

IAMAdminMFAPolicy: Type: AWS::IAM::ManagedPolicy Properties: PolicyDocument: Version: '2012-10-17' Statement:

Allow ALL IAM actions, an enforces MultiFactor authentication is set up.

- Effect: Allow Action: iam:* Resource: "*" Condition: Bool: aws:MultiFactorAuthPresent: 'true' - Effect: Deny Action: aws-portal:*Billing Resource: "*" Groups: - Ref: IAMAdminGroup

Operations Role

The Opertions role/policy allows broad access to many AWS systems.

InstanceOpsGroup: Type: AWS::IAM::Group Properties: Path: "/" InstanceOps: Type: AWS::IAM::Role Properties: RoleName: fdn-InstanceOps AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole - Effect: Allow Principal: Federated: Ref: ShibbolethIDPARN Action: sts:AssumeRoleWithSAML Condition: StringEquals: SAML:aud: https://signin.aws.amazon.com/saml InstanceOpsProfile: Type: AWS::IAM::InstanceProfile DependsOn: InstanceOps Properties: Path: "/" Roles: - Ref: InstanceOps InstanceOpsPolicy: Type: AWS::IAM::ManagedPolicy Properties: PolicyDocument: Version: '2012-10-17' Statement:

Allow ALL EC2 Actions

- Action: ec2:* Effect: Allow Resource: "*"

Allow ALL ELB Actions

- Effect: Allow Action: elasticloadbalancing:* Resource: "*"

Allow ALL CloudWatch actions

- Effect: Allow Action: cloudwatch:* Resource: "*"

Allow ALL Autoscalling actions

- Effect: Allow Action: autoscaling:* Resource: "*"

DENY the following EC2 Actions

- Effect: Deny Action: - ec2:CreateVpc* - ec2:DeleteVpc* - ec2:ModifyVpc* - ec2:CreateSubnet* - ec2:DeleteSubnet* - ec2:ModifySubnet* - ec2:Create*Route* - ec2:DeleteRoute* - ec2:AssociateRoute* - ec2:ReplaceRoute* - ec2:CreateVpn* - ec2:DeleteVpn* - ec2:AttachVpn* - ec2:DetachVpn* - ec2:CreateNetworkAcl* - ec2:DeleteNetworkAcl* - ec2:ReplaceNetworkAcl* - ec2:*Gateway* - ec2:*PeeringConnection* Resource: "*"

Deny Billing information

- Effect: Deny Action: aws-portal:*Billing Resource: "*"

Deny access to the KMS system.

- Effect: Deny Action: - kms:Create* - kms:Revoke* - kms:Enable* - kms:Get* - kms:Disable* - kms:Delete* - kms:Put* - kms:Update* Resource: "*" Roles: - Ref: InstanceOps Groups: - Ref: InstanceOpsGroup

Read-Only Admin Role

The Read-Only Admin role/policy allows broad read access to most services.

ReadOnlyAdminGroup: Type: AWS::IAM::Group Properties: Path: "/" ReadOnlyAdmin: Type: AWS::IAM::Role Properties: RoleName: fdn-ReadOnlyAdmin AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole - Effect: Allow Principal: Federated: Ref: ShibbolethIDPARN Action: sts:AssumeRoleWithSAML Condition: StringEquals: SAML:aud: https://signin.aws.amazon.com/saml ReadOnlyAdminProfile: Type: AWS::IAM::InstanceProfile DependsOn: ReadOnlyAdmin Properties: Path: "/" Roles: - Ref: ReadOnlyAdmin

Read-Only Admin Policy

ReadOnlyAdminPolicy: Type: AWS::IAM::ManagedPolicy DependsOn: ReadOnlyAdminProfile Properties: PolicyDocument: Version: '2012-10-17' Statement: - Action: - appstream:Get* - autoscaling:Describe* - cloudformation:DescribeStacks - cloudformation:DescribeStackEvents - cloudformation:DescribeStackResource - cloudformation:DescribeStackResources - cloudformation:GetTemplate - cloudformation:List* - cloudfront:Get* - cloudfront:List* - cloudtrail:DescribeTrails - cloudtrail:GetTrailStatus - cloudwatch:Describe* - cloudwatch:Get* - cloudwatch:List* - directconnect:Describe* - dynamodb:DescribeTable - dynamodb:ListTables - ec2:Describe* - elasticache:Describe* - elasticbeanstalk:Check* - elasticbeanstalk:Describe* - elasticbeanstalk:List* - elasticbeanstalk:RequestEnvironmentInfo - elasticbeanstalk:RetrieveEnvironmentInfo - elasticfilesystem:Describe* - elasticloadbalancing:Describe* - elastictranscoder:Read* - elastictranscoder:List* - iam:List* - iam:Get* - kinesis:Describe* - kinesis:Get* - kinesis:List* - logs:Describe* - logs:FilterLogEvents - logs:GetLogEvents - logs:ListTagsLogGroup - opsworks:Describe* - opsworks:Get* - route53:Get* - route53:List* - redshift:Describe* - redshift:ViewQueriesInConsole - rds:Describe* - rds:ListTagsForResource - s3:List* - sdb:GetAttributes - sdb:List* - sdb:Select* - ses:Get* - ses:List* - sns:Get* - sns:List* - sqs:GetQueueAttributes - sqs:ListQueues - sqs:ReceiveMessage - storagegateway:List* - storagegateway:Describe* - trustedadvisor:Describe* Effect: Allow Resource: "*" Roles: - Ref: ReadOnlyAdmin - Ref: IAMAdmin Groups: - Ref: ReadOnlyAdminGroup - Ref: IAMAdminGroup

Read-Only Billing Role

The Read-Only Billing role/policy allows full read access to Billing info.

ReadOnlyBillingGroup: Type: AWS::IAM::Group Properties: Path: "/" ReadOnlyBilling: Type: AWS::IAM::Role Properties: RoleName: fdn-ReadOnlyBilling AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole - Effect: Allow Principal: Federated: Ref: ShibbolethIDPARN Action: sts:AssumeRoleWithSAML Condition: StringEquals: SAML:aud: https://signin.aws.amazon.com/saml ReadOnlyBillingPolicy: Type: AWS::IAM::ManagedPolicy Properties: PolicyDocument: Version: '2012-10-17' Statement:

Allow access to all aws-portal::view* actions

- Effect: Allow Action: aws-portal:View* Resource: "*"

DENY access to aws-portal:*Account actions such as :ViewAccount and :ModifyAccount

- Effect: Deny Action: aws-portal:*Account Resource: "*" Roles: - Ref: ReadOnlyBilling - Ref: BillingPurchasing Groups: - Ref: ReadOnlyBillingGroup - Ref: BillingPurchasingGroup

Billing & Purchasing Role

Billing & Purchasing role/policy allows full read access to Billing info along with the ability to purchase reserved instances and submit support tickets.

BillingPurchasingGroup: Type: AWS::IAM::Group Properties: Path: "/" BillingPurchasing: Type: AWS::IAM::Role Properties: RoleName: fdn-BillingPurchasing ManagedPolicyArns: - arn:aws:iam::aws:policy/AWSSupportAccess AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole - Effect: Allow Principal: Federated: Ref: ShibbolethIDPARN Action: sts:AssumeRoleWithSAML Condition: StringEquals: SAML:aud: https://signin.aws.amazon.com/saml BillingPurchasingPolicy: Type: AWS::IAM::ManagedPolicy Properties: PolicyDocument: Version: '2012-10-17' Statement:

Allow access to EC2 actions

- Effect: Allow Action: - ec2:AcceptReservedInstancesExchangeQuote - ec2:CancelReservedInstancesListing - ec2:CreateReservedInstancesListing - ec2:Describe* - ec2:GetHostReservationPurchasePreview - ec2:GetReservedInstancesExchangeQuote - ec2:ModifyReservedInstances - ec2:PurchaseHostReservation - ec2:PurchaseReservedInstancesOffering - ec2:PurchaseScheduledInstances Resource: "*"

Allow access to RDS actions

- Effect: Allow Action: - rds:Describe* - rds:DescribeOrderableDBInstanceOptions - rds:DescribeReservedDBInstances - rds:DescribeReservedDBInstancesOfferings - rds:ListTagsForResource - rds:PurchaseReservedDBInstancesOffering Resource: "*"

Allow access to Redshift actions

- Effect: Allow Action: - redshift:Describe* - redshift:FetchResults - redshift:GetReservedNodeExchangeOfferings - redshift:AcceptReservedNodeExchange - redshift:PurchaseReservedNodeOffering Resource: "*"

DENY access to aws-portal:*Account actions such as :ViewAccount and :ModifyAccount

- Effect: Deny Action: aws-portal:*Account Resource: "*" Roles: - Ref: BillingPurchasing Groups: - Ref: BillingPurchasingGroup

CloudFormation Administrator Deployer Role

This is the role allows full admin permissions when deploying a CloudFormation template. This role should only be allowed to be used by trusted users, default this is only the SysAdmin role.

CloudFormationAdminDeployerRole: Type: AWS::IAM::Role Properties: RoleName: !If - CFDeployerRoleV2 - fdn-CloudFormationAdminDeployer - !Ref AWS::NoValue AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - cloudformation.amazonaws.com Action: - sts:AssumeRole Path: "/" Policies: - PolicyName: cloudformation-admin-deployer PolicyDocument: Statement: - Action: - "*" Effect: Allow Resource: - "*"

OpsWorks Service Role

This is the role that is given to the OpsWorks service, which allows OpsWorks to manage AWS resources. This is a standard policy provided by AWS. See the AWS Documentation for OpsWorks Service Role

OpsWorksServiceRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - opsworks.amazonaws.com Action: - sts:AssumeRole Path: "/" Policies: - PolicyName: opsworks-service PolicyDocument: Statement: - Action: - ec2:* - iam:PassRole - cloudwatch:GetMetricStatistics - elasticloadbalancing:* - rds:* Effect: Allow Resource: - "*"

Remote Deployer role

This is a role that grants roles in other accounts the permission to assume the role and perform CloudFormation creates and updates.

RemoteDeployerRoleTarget: Type: AWS::IAM::Role Properties: RoleName: fdn-iam-RemoteDeployerRoleTarget AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: AWS: !Ref BaseDeployerRoleArn Service: "lambda.amazonaws.com" Action: "sts:AssumeRole" Path: "/" Policies: - PolicyName: RemoteDeployerPolicyTarget PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: "s3:GetObject" Resource: arn:aws:s3:::ua-uits-ecs-public/service-catalog/master/* - Effect: "Allow" Action: - "cloudformation:CreateStack" - "cloudformation:UpdateStack" Resource: !Sub arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/fdn-*/* - Effect: "Allow" Action: - "cloudformation:ListStacks" - "cloudformation:DescribeStacks" - "logs:CreateLogGroup" - "logs:CreateLogStream" - "iam:PassRole" Resource: "*"

CloudFormation Stack Set Role

This is a role allows central deployment of CloudFormation Stack Sets https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs.html

CloudFormationStackSetExecutionRole: Type: AWS::IAM::Role Properties:

The role name must be AWSCloudFormationStackSetExecutionRole

RoleName: AWSCloudFormationStackSetExecutionRole AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: AWS: !Sub "arn:aws:iam::${UARootAccountNumber}:root" Action: - sts:AssumeRole Path: "/" Policies: - PolicyName: cloudformation-stackset-deployer PolicyDocument: Statement: - Action: - "*" Effect: Allow Resource: - "*"

Cloudability User and Policy

Additional access for Cloudability to retrieve specific service information.

CloudabilityUser: Type: AWS::IAM::User Properties: UserName: fdn-Cloudability Path: "/" Policies: - PolicyName: Cloudability_API_Access PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - ec2:DescribeInstances - ec2:DescribeImages - ec2:DescribeReservedInstances - ec2:DescribeReservedInstancesModifications - ec2:DescribeVolumes - ec2:DescribeSnapshots - cloudwatch:GetMetricStatistics - elasticache:DescribeReservedCacheNodes - elasticache:ListTagsForResource - elasticache:DescribeCacheClusters - rds:DescribeReservedDBInstances - rds:DescribeDBInstances - rds:DescribeDBClusters - rds:ListTagsForResource - redshift:DescribeReservedNodes - redshift:DescribeTags - dynamodb:DescribeTable - dynamodb:ListTables - iam:ListUsers - iam:GetUser Resource: - "*"

Outputs

Outputs: SysAdmin: Value: !Ref SysAdmin IAMAdmin: Value: !Ref IAMAdmin InstanceOps: Value: !Ref InstanceOps ReadOnlyBilling: Value: !Ref ReadOnlyBilling BillingPurchasing: Value: !Ref BillingPurchasing ReadOnlyAdmin: Value: !Ref ReadOnlyAdmin OpsWorksServiceRole: Value: !Ref OpsWorksServiceRole Export: Name: !Sub "${AWS::StackName}-opsworks-service-role" OpsWorksServiceRoleArn: Value: !GetAtt OpsWorksServiceRole.Arn Export: Name: !Sub "${AWS::StackName}-opsworks-service-role-arn" CloudFormationAdminDeployerRole: Value: !Ref CloudFormationAdminDeployerRole Export: Name: !Sub "${AWS::StackName}-cloudformation-deployer-role" CloudFormationAdminDeployerRoleArn: Value: !GetAtt CloudFormationAdminDeployerRole.Arn Export: Name: !Sub "${AWS::StackName}-cloudformation-deployer-role-arn" RemoteDeployerRoleTarget: Value: !GetAtt RemoteDeployerRoleTarget.Arn Export: Name: !Sub "${AWS::StackName}-remote-deployer-role-arn"