CrossAccountRoleOrganizationsAccessPolicy:
Type: AWS::IAM::Policy
DependsOn: CrossAccountRole
Properties:
PolicyName: CrossAccountRoleOrganizationsAccessPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- organizations:ListAccountsForParent
- organizations:ListRoots
- organizations:ListAccounts
- organizations:DescribeOrganization
- organizations:DescribeOrganizationalUnit
- organizations:ListParents
- organizations:InviteAccountToOrganization
Resource: "*"
Roles:
- Ref: CrossAccountRole
CrossAccountAutoSavingsPolicy:
Type: AWS::IAM::Policy
DependsOn: InitialRegistrationNotification
Properties:
PolicyName: CrossAccountAutoSavingsPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- ce:Get*
- ce:List*
- ce:Describe*
- ec2:CreateReservedInstancesListing
- ec2:PurchaseReservedInstancesOffering
- ec2:DescribeReservedInstancesOfferings
- ec2:AcceptReservedInstancesExchangeQuote
- ec2:DescribeReservedInstancesModifications
- ec2:DescribeReservedInstances
- ec2:GetReservedInstancesExchangeQuote
- ec2:CancelReservedInstancesListing
- ec2:DeleteQueuedReservedInstances
- ec2:DescribeReservedInstancesListings
- ec2:ModifyReservedInstances
Resource: "*"
Roles:
- Ref: CrossAccountRole
CrossAccountRoleCloudFormationAccessPolicy:
Type: AWS::IAM::Policy
DependsOn: InitialRegistrationNotification
Properties:
PolicyName: CrossAccountRoleCloudFormationAccessPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- cloudformation:DescribeStacks
- cloudformation:GetTemplate
- cloudformation:ListStackSetOperationResults
- cloudformation:DescribeStackSetOperation
- cloudformation:DescribeStackSet
Resource:
- !Ref "AWS::StackId"
- !Sub "arn:aws:cloudformation:us-east-1:
${AWS::AccountId}:stackset/opsnow-stackset-*:*"
Roles:
- Ref: CrossAccountRole
CrossAccountRoleCURPolicy:
Type: AWS::IAM::Policy
DependsOn: InitialRegistrationNotification
Properties:
PolicyName: CrossAccountRoleCURPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- cur:PutReportDefinition
- cur:DescribeReportDefinitions
- ce:ListCostAllocationTags
- s3:CreateBucket
- s3:PutBucketNotification
- s3:PutLifecycleConfiguration
- s3:PutBucketPolicy
Resource:
- !Sub "arn:aws:cur:${AWS::Region}:${AWS::AccountId}:definition/*"
- !Sub "arn:aws:s3:::${CostUsageReportBucketName}-${AWS::AccountId}/*"
- !Sub "arn:aws:s3:::${CostUsageReportBucketName}-${AWS::AccountId}"
Roles:
- Ref: CrossAccountRole
CrossAccountRoleS3AccessPolicy:
Type: AWS::IAM::Policy
DependsOn: InitialRegistrationNotification
Properties:
PolicyName: CrossAccountRoleS3AccessPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "s3:GetObject"
- "s3:ListBucket"
Resource:
- !Sub
"arn:aws:s3:::${CostUsageReportBucketName}-${AWS::AccountId}"
- !Sub "arn:aws:s3:::${CostUsageReportBucketName}-
${AWS::AccountId}/cur/${CostUsageReportBucketName}/*"
Roles:
- Ref: CrossAccountRole
CrossAccountRoleAssetPolicy:
Type: AWS::IAM::Policy
DependsOn: InitialRegistrationNotification
Properties:
PolicyName: CrossAccountRoleAssetPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- apigateway:GET
- autoscaling:Describe*
- cloudfront:List*
- cloudsearch:DescribeAnalysisSchemes
- cloudsearch:DescribeDomains
- cloudsearch:ListDomainNames
- cloudtrail:LookupEvents
- cloudwatch:GetMetricStatistics
- cloudwatch:ListMetrics
- cloudwatch:ListTagsForResource
- codedeploy:Get*
- codedeploy:List*
- directconnect:DescribeConnections
- directconnect:DescribeTags
- dms:DescribeConnections
- dms:ListTagsForResource
- dynamodb:DescribeTable
- dynamodb:ListTables
- dynamodb:ListTagsOfResource
- ec2:Describe*
- ecs:Describe*
- ecs:List*
- eks:DescribeCluster
- eks:ListClusters
- eks:ListTagsForResource
- elasticache:DescribeCacheClusters
- elasticache:DescribeReplicationGroups
- elasticache:ListTagsForResource
- elasticfilesystem:DescribeFileSystems
- elasticfilesystem:DescribeTags
- elasticloadbalancing:Describe*
- elasticmapreduce:DescribeCluster
- elasticmapreduce:ListClusters
- elasticmapreduce:ListInstances
- es:DescribeElasticsearchDomain
- es:DescribeElasticsearchDomains
- es:ListDomainNames
- es:ListTags
- firehose:DescribeDeliveryStream
- firehose:ListDeliveryStreams
- firehose:ListTagsForDeliveryStream
- fms:ListPolicies
- fms:ListTagsForResource
- glacier:ListTagsForVault
- glacier:ListVaults
- glue:Get*
- glue:ListCrawlers
- iam:GetRolePolicy
- iam:GetPolicy
- iam:GetPolicyVersion
- iam:GetUser
- iam:ListAttachedGroupPolicies
- iam:ListAttachedRolePolicies
- iam:ListAttachedUserPolicies
- iam:ListGroupsForUser
- ivs:ListChannels
- ivs:ListStreams
- ivschat:ListRooms
- kafka:DescribeCluster
- kafka:ListClusters
- kinesis:DescribeStream
- kinesis:ListStreams
- kinesis:ListTagsForStream
- kinesisanalytics:DescribeApplication
- kinesisanalytics:ListApplications
- kinesisanalytics:ListTagsForResource
- kinesisvideo:DescribeStream
- kinesisvideo:ListStreams
- kinesisvideo:listTagsForResource
- kinesisvideo:ListTagsForStream
- kms:DescribeKey
- kms:ListKeys
- kms:ListResourceTags
- lambda:ListAliases
- lambda:ListFunctions
- lambda:ListTags
- logs:DescribeLogGroups
- logs:ListTagsLogGroup
- mediaconvert:DescribeEndpoints
- mediaconvert:ListJobs
- mediaconvert:ListTagsForResource
- medialive:ListChannels
- medialive:ListInputs
- mediastore:DescribeContainer
- mediastore:ListContainers
- mediastore:ListTagsForResource
- rds:Describe*
- rds:ListTagsForResource
- redshift:DescribeClusters
- redshift:DescribeTags
- route53:List*
- s3:GetBucketLocation
- s3:GetBucketTagging
- s3:HeadBucket
- s3:ListAllMyBuckets
- s3:ListBucket
- s3:ListBucketByTags
- sagemaker:Describe*
- sagemaker:List*
- savingsplans:DescribeSavingsPlans
- savingsplans:ListTagsForResource
- sqs:GetQueueAttributes
- sqs:ListQueueTags
- sqs:ListQueues
- transfer:ListServers
- transfer:ListTagsForResource
- wafv2:GetRuleGroup
- wafv2:GetWebACL
- wafv2:ListRuleGroups
- wafv2:ListTagsForResource
- wafv2:ListWebACLs
- workspaces:Describe*
- airflow:ListEnvironments
- airflow:GetEnvironment
- airflow:ListTagsForResource
- mq:ListBrokers
- mq:Describe*
- fsx:DescribeFileSystems
Resource: "*"
Roles:
- Ref: CrossAccountRole