AWSTemplateFormatVersion: 2010-09-09 Description: "UITS Account Foundation: Organizations Read-Only IAM Role"

Parameters: OrganizationsMasterAccountNumber: Description: AWS Organizations master account number Type: String MinLength: 12 MaxLength: 12 AllowedPattern: "[0-9]*"

Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Settings Parameters: - OrganizationsMasterAccountNumber

IamOrganizationsReadOnlyRole: Type: AWS::IAM::Role Properties: RoleName: ua-organizations-read-only-role AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: AWS: !Sub arn:aws:iam::${OrganizationsMasterAccountNumber}:root Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/ReadOnlyAccess

IamPolicyDenyCertainActions: Type: AWS::IAM::Policy Properties: PolicyName: ua-organizations-read-only-denial-override PolicyDocument: Version: 2012-10-17 Statement: - Effect: Deny Action: - acm:Get* - acm-pca:Get* - athena:GetQuery* - codecommit:GetBlob - codecommit:GetCommit* - codecommit:GetDifferences - codecommit:GetFile - codecommit:GetFolder - codecommit:GetMerge* - codecommit:GetPullRequest* - codecommit:GitPull - dax:BatchGetItem - dax:GetItem - dax:Query - dax:Scan - dynamodb:BatchGet* - dynamodb:Get* - dynamodb:Query* - dynamodb:Scan* - ecr:GetAuthorizationToken - es:ESHttpGet - es:ESHttpHead - iotanalytics:Get* - lex:GetExport - logs:FilterLogEvents - logs:Get* - logs:StartQuery - logs:StopQuery - logs:TestMetricFilter - machinelearning:Get* - personalize:Get* - polly:Get* - polly:SynthesizeSpeech - qldb:Get* - rekognition:CompareFaces - rekognition:Detect* - rekognition:Search* - rds:Download* - redshift:View* - s3:GetObject - s3:GetObjectVersion - s3:GetObjectVersionForReplication - sagemaker:GetSearchSuggestions - sagemaker:Search - sdb:Get* - sdb:Select* - snowball:GetJobUnlockCode - sqs:Receive* - ssm:GetParameter* - transcribe:GetMedicalTranscriptionJob - transcribe:GetTranscriptionJob Resource: "*" Roles: - !Ref IamOrganizationsReadOnlyRole