AWSTemplateFormatVersion: '2010-09-09' Description: 'SCAI AWS Audit Role — Read-only audit access for SCAI Technologies. DELETE AFTER AUDIT.' Parameters: ExternalId: Type: String Description: External ID for STS AssumeRole (unique per audit, provided by SCAI) MinLength: 1 Resources: # ============================================================================ # SCAIAuditRole # ============================================================================ SCAIAuditRole: Type: AWS::IAM::Role Properties: RoleName: SCAIAuditRole Description: Read-only role for SCAI AWS audit tool. DELETE AFTER AUDIT COMPLETION. AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: AWS: 'arn:aws:iam::092645364138:root' Action: 'sts:AssumeRole' Condition: StringEquals: 'sts:ExternalId': !Ref ExternalId ManagedPolicyArns: - 'arn:aws:iam::aws:policy/SecurityAudit' - 'arn:aws:iam::aws:policy/ReadOnlyAccess' Policies: - PolicyName: DenyModifyingActions PolicyDocument: Version: '2012-10-17' Statement: - Effect: Deny Action: - 'ec2:*' - 'rds:*' - 'iam:*' - 's3:*' - 'lambda:*' - 'cloudformation:*' - 'logs:*' - 'cloudtrail:*' - 'sns:*' - 'sqs:*' - 'dynamodb:*' Resource: '*' Condition: StringLike: 'aws:username': - 'Create*' - 'Delete*' - 'Modify*' - 'Put*' - 'Update*' - 'Attach*' - 'Detach*' Tags: - Key: Purpose Value: SCAI-Audit - Key: DeleteAfterUse Value: 'true' Outputs: RoleArn: Description: ARN of the SCAIAuditRole — use this when asked for the role ARN Value: !GetAtt SCAIAuditRole.Arn Export: Name: SCAIAuditRoleArn Instructions: Description: Important — Delete this role after audit is complete Value: 'This role is READ-ONLY and designed for temporary use. Delete the SCAIAuditRole from your AWS account after the audit is complete. This role has no write permissions and cannot modify your AWS resources.'