fix(modules): volume access allow KMS installing user

sysdiglabs · Sep 10, 2024 · de25f3a · de25f3a
1 parent 2edb270
commit de25f3a
Showing 1 changed file with 46 additions and 3 deletions.
diff --git a/modules/volume_access.cft.yaml b/modules/volume_access.cft.yaml
@@ -255,7 +255,8 @@ Resources:
                   Effect: "Allow"
                   Principal:
                     AWS:
-                    - !Sub "arn:aws:iam::${AWS::AccountId}:root"
+                    - !Sub arn:aws:iam::${AWS::AccountId}:root
+                    - !Sub arn:aws:iam::${AWS::AccountId}:role/sysdig-secure-scanning-stackset-execution-${NameSuffix}
                   Action: "kms:*"
                   Resource: "*"
           ScanningKmsAlias:
@@ -394,13 +395,54 @@ Resources:
                     Condition:
                       StringEqualsIgnoreCase:
                         "aws:ResourceTag/CreatedBy": "Sysdig" 
+          AdministrationRole:
+            Type: AWS::IAM::Role
+            Properties:
+              RoleName: !Sub sysdig-secure-scanning-stackset-administration-${NameSuffix}
+              AssumeRolePolicyDocument:
+                Version: 2012-10-17
+                Statement:
+                - Effect: Allow
+                  Principal:
+                    Service: cloudformation.amazonaws.com
+                  Action:
+                  - sts:AssumeRole
+              Policies:
+              - PolicyName: !Sub sysdig-secure-scanning-stackset-execution-${NameSuffix}
+                PolicyDocument:
+                  Version: 2012-10-17
+                  Statement:
+                  - Effect: Allow
+                    Action:
+                    - sts:AssumeRole
+                    Resource:
+                    - !Sub arn:aws:iam:::role/sysdig-secure-scanning-stackset-execution-${NameSuffix}
+          ExecutionRole:
+            Type: AWS::IAM::Role   
+            Properties:
+              RoleName: !Sub sysdig-secure-scanning-stackset-execution-${NameSuffix}
+              AssumeRolePolicyDocument:
+                Version: 2012-10-17
+                Statement:
+                - Effect: Allow
+                  Principal:
+                    AWS:
+                    - !GetAtt AdministrationRole.RoleId
+                  Action:
+                  - sts:AssumeRole
+              ManagedPolicyArns:
+              - arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser
+              - arn:aws:iam::aws:policy/AWSCloudFormationFullAccess
   OrganizationKMSKeyStackSet:
     Type: AWS::CloudFormation::StackSet
     Condition: IsOrganizational
+    DependsOn: OrganizationRoleStackSet
     Properties:
       StackSetName: !Sub sysdig-secure-scanning-organization-kmskey-${NameSuffix}
       Description: IAM Role used to create KMS Keys to scan organization accounts/regions
-      PermissionModel: SERVICE_MANAGED
+      AdministrationRoleARN: !Sub arn:aws:iam:::role/sysdig-secure-scanning-stackset-administration-${NameSuffix}
+      ExecutionRoleName: !Sub sysdig-secure-scanning-stackset-execution-${NameSuffix}
+      PermissionModel: SELF_MANAGED
       Capabilities:
       - "CAPABILITY_NAMED_IAM"
       AutoDeployment:
@@ -464,7 +506,8 @@ Resources:
                   Effect: "Allow"
                   Principal:
                     AWS:
-                    - !Sub "arn:aws:iam::${AWS::AccountId}:root"
+                    - !Sub arn:aws:iam::${AWS::AccountId}:root
+                    - !Sub arn:aws:iam::${AWS::AccountId}:role/sysdig-secure-scanning-stackset-execution-${NameSuffix}
                   Action: "kms:*"
                   Resource: "*"
           ScanningKmsAlias: