panther-stackset-execution-role.yml

# Copyright (C) 2022 Panther Labs, Inc.
#
# The Panther SaaS is licensed under the terms of the Panther Enterprise Subscription
# Agreement available at https://panther.com/enterprise-subscription-agreement/.
# All intellectual property rights in and to the Panther SaaS, including any and all
# rights to access the Panther SaaS, are governed by the Panther Enterprise Subscription Agreement.

AWSTemplateFormatVersion: 2010-09-09
Description: IAM roles for an account being scanned by Panther.

Parameters:
  MasterAccountId:
    Type: String
    Default: ''
  MasterAccountRegion:
    Type: String
    Default: ''

Resources:
  CloudFormationStackSetExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub PantherCloudFormationStackSetExecutionRole-${MasterAccountRegion}
      Description: CloudFormation assumes this role to execute a stack set
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub arn:${AWS::Partition}:iam::${MasterAccountId}:root
            Action: sts:AssumeRole
      Policies:
        - PolicyName: ManageCloudFormationStack
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action: cloudformation:*
                Resource: '*'
        - PolicyName: PantherSetupRealTimeEvents
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - events:*
                  - sns:*
                Resource: '*'
      Tags:
        - Key: panther:app
          Value: panther