{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Metadata":{
		"AWS::CloudFormation::Interface":{
			"ParameterGroups":[
				{
					"Label":{"default":"IAM Role"},
					"Parameters":["ExternalAccount","ExternalId", "AccountType"]
				},
				{
					"Label":{"default":"Inventory"},
					"Parameters":["InventoryAndUtilzation"]
				},
				{
					"Label":{"default":"Billing"},
					"Parameters":["CostPermissions","BillingBucket", "CurBucket"]
				},
				{
					"Label":{"default":"Security"},
					"Parameters":["Security","CloudTrailBucket"]
				},
				{
					"Label":{"default":"CloudWatch Flow Logs"},
					"Parameters":["CloudWatchFlowLogs"]
				}
			]
		}
	},
	"Parameters": {
		"ExternalId":{
			"Type":"String",
			"Description":"CloudCheckr External ID"
		},
		"ExternalAccount":{
			"Type":"String",
			"Default":"352813966189",
			"Description":"CloudCheckr Account"
		},
		"AccountType":{
			"Type":"String",
			"Default":"Standard",
			"Description":"Account Type",
			"AllowedValues": ["Standard", "GovCloud"]
		},
		"Security":{
			"Type": "String",
			"Default": "True",
			"Description": "Use CloudCheckr to process security data?",
			"AllowedValues": ["True", "False"]
		},
		"InventoryAndUtilzation":{
			"Type": "String",
			"Default": "True",
			"Description": "Use CloudCheckr to process inventory and utilization data?",
			"AllowedValues": ["True", "False"]
		},
		"CostPermissions": {
			"Type": "String",
			"Default": "True",
			"Description": "Use CloudCheckr to process billing data?",
			"AllowedValues": ["True", "False"]
		},
		"BillingBucket":{
			"Type":"String",
			"Description":"AWS Detailed Billing Report Bucket"
		},
		"CurBucket":{
			"Type":"String",
			"Description":"AWS Cost and Usage Report Bucket"
		},
		"CloudTrailBucket":{
			"Type":"String",
			"Description":"AWS CloudTrail Bucket"
		},
		"CloudWatchFlowLogs":{
			"Type": "String",
			"Default": "True",
			"Description": "Use CloudCheckr to process CloudWatch Flow Logs data?",
			"AllowedValues": ["True", "False"]
		}
	},
	"Conditions": {
		"IncludeCost": {"Fn::Equals": [{"Ref": "CostPermissions"}, "True"]},
		"IncludeInventory": {"Fn::Equals": [{"Ref": "InventoryAndUtilzation"}, "True"]},
		"IncludeSecurity": {"Fn::Equals": [{"Ref": "Security"}, "True"]},
		"IncludeFlowLogs": {"Fn::Equals": [{"Ref": "CloudWatchFlowLogs"}, "True"]},
		"IncludeCloudTrailBucket": {"Fn::Not": [{"Fn::Equals": ["", {"Ref": "CloudTrailBucket"}]}]},
		"IsAccountTypeStandard": {"Fn::Equals": [{"Ref": "AccountType"}, "Standard"]},
		"IncludeBillingBucket": { "Fn::And": [ {"Condition": "IsAccountTypeStandard"}, {"Fn::Not": [{"Fn::Equals": ["", {"Ref": "BillingBucket"}]}]}]},
		"IncludeCurBucket": { "Fn::And": [ {"Condition": "IsAccountTypeStandard"}, {"Fn::Not": [{"Fn::Equals": ["", {"Ref": "CurBucket"}]}]}]}
	},
	"Resources": {
		"IamRole": {
			"Type": "AWS::IAM::Role",
			"Properties": {
				"AssumeRolePolicyDocument": {
					"Version": "2012-10-17",
					"Statement": [{
						"Effect": "Allow",
						"Principal": {"AWS": { "Fn::Sub": "arn:${AWS::Partition}:iam::${ExternalAccount}:root" } },
						"Action": "sts:AssumeRole",
						"Condition": {
							"StringEquals": {
								"sts:ExternalId": {
									"Ref": "ExternalId"
								}
							}
						}
					}]
				}
			}
		},
		"CloudWatchFlowLogsPolicy":{
			"Type":"AWS::IAM::Policy",
			"Condition":"IncludeFlowLogs",
			"Properties":{
				"Roles":[{"Ref":"IamRole"}],
				"PolicyName":"CloudCheckr-CloudWatchFlowLogs-Policy",
				"PolicyDocument":{
					"Version":"2012-10-17",
					"Statement":[{
						"Sid":"CloudWatchLogsSpecific",
						"Effect":"Allow",
						"Action":[
							"logs:GetLogEvents",
							"logs:DescribeLogGroups",
							"logs:DescribeLogStreams"
						],
						"Resource":[
							{ "Fn::Sub": "arn:${AWS::Partition}:logs:*:*:*" }
						]
					}]
				}
			}
		},
		"CloudTrailPolicy":{
			"Type":"AWS::IAM::Policy",
			"Condition":"IncludeCloudTrailBucket",
			"Properties":{
				"Roles":[{"Ref":"IamRole"}],
				"PolicyName":"CloudCheckr-CloudTrail-Policy",
				"PolicyDocument":{
					"Version":"2012-10-17",
					"Statement":[{
						"Sid": "CloudTrailPermissions",
						"Effect": "Allow",
						"Action": [
							"s3:GetBucketACL",
							"s3:GetBucketLocation",
							"s3:GetBucketLogging",
							"s3:GetBucketPolicy",
							"s3:GetBucketTagging",
							"s3:GetBucketWebsite",
							"s3:GetBucketNotification",
							"s3:GetLifecycleConfiguration",
							"s3:GetObject",
							"s3:List*"
						],
						"Resource": [
							{ "Fn::Sub":"arn:${AWS::Partition}:s3:::${CloudTrailBucket}" },
							{ "Fn::Sub":"arn:${AWS::Partition}:s3:::${CloudTrailBucket}/*" }
						]
					}]
				}
			}
		},
		"SecurityPolicy":{
			"Type":"AWS::IAM::Policy",
			"Condition":"IncludeSecurity",
			"Properties":{
				"Roles":[{"Ref":"IamRole"}],
				"PolicyName":"CloudCheckr-Security-Policy",
				"PolicyDocument":{
					"Version":"2012-10-17",
					"Statement":[{
						"Sid": "SecurityPermissons",
						"Effect":"Allow",
						"Action":[
							"acm:DescribeCertificate",
							"acm:ListCertificates",
							"acm:GetCertificate",
							"cloudtrail:DescribeTrails",
							"cloudtrail:GetTrailStatus",
							"logs:GetLogEvents",
							"logs:DescribeLogGroups",
							"logs:DescribeLogStreams",
							"config:DescribeConfigRules",
							"config:GetComplianceDetailsByConfigRule",
							"config:DescribeDeliveryChannels",
							"config:DescribeDeliveryChannelStatus",
							"config:DescribeConfigurationRecorders",
							"config:DescribeConfigurationRecorderStatus",
							"ec2:Describe*",
							"iam:Get*",
							"iam:List*",
							"iam:GenerateCredentialReport",
							"kms:DescribeKey",
							"kms:GetKeyPolicy",
							"kms:GetKeyRotationStatus",
							"kms:ListAliases",
							"kms:ListGrants",
							"kms:ListKeys",
							"kms:ListKeyPolicies",
							"kms:ListResourceTags",
							"rds:Describe*",
							"ses:ListIdentities",
							"ses:GetSendStatistics",
							"ses:GetIdentityDkimAttributes",
							"ses:GetIdentityVerificationAttributes",
							"ses:GetSendQuota",
							"sns:GetTopicAttributes",
							"sns:GetSubscriptionAttributes",
							"sns:ListTopics",
							"sns:ListSubscriptionsByTopic",
							"sqs:ListQueues",
							"sqs:GetQueueAttributes"
						],
						"Resource": "*"
					}]
				}
			}
		},
		"InventoryPolicy":{
			"Type":"AWS::IAM::Policy",
			"Condition":"IncludeInventory",
			"Properties":{
				"Roles":[{"Ref":"IamRole"}],
				"PolicyName":"CloudCheckr-Inventory-Policy",
				"PolicyDocument":{
					"Version":"2012-10-17",
					"Statement":[{
						"Sid":"InventoryAndUtilization",
						"Effect":"Allow",
						"Action":[
							"access-analyzer:List*",
							"acm:DescribeCertificate",
							"acm:GetCertificate",
							"acm:ListCertificates",
							"autoscaling:Describe*",
							"cloudformation:DescribeStacks",
							"cloudformation:GetStackPolicy",
							"cloudformation:GetTemplate",
							"cloudformation:ListStackResources",
							"cloudformation:ListStacks",
							"cloudfront:GetDistributionConfig",
							"cloudfront:GetStreamingDistributionConfig",
							"cloudfront:List*",
							"cloudhsm:Describe*",
							"cloudhsm:List*",
							"cloudsearch:Describe*",
							"cloudtrail:DescribeTrails",
							"cloudtrail:GetEventSelectors",
							"cloudtrail:GetTrailStatus",
							"cloudwatch:DescribeAlarms",
							"cloudwatch:GetMetricStatistics",
							"cloudwatch:ListMetrics",
							"cognito-identity:ListIdentities",
							"cognito-identity:ListIdentityPools",
							"cognito-idp:List*",
							"config:Describe*",
							"config:GetComplianceDetailsByConfigRule",
							"datapipeline:DescribePipelines",
							"datapipeline:GetPipelineDefinition",
							"datapipeline:ListPipelines",
							"directconnect:Describe*",
							"dynamodb:DescribeTable",
							"dynamodb:ListTables",
							"dynamodb:ListTagsOfResource",
							"ec2:Describe*",
							"ec2:GetConsoleOutput",
							"ec2:GetEbsEncryptionByDefault",
							"ecs:DescribeClusters",
							"ecs:DescribeContainerInstances",
							"ecs:DescribeServices",
							"ecs:DescribeTaskDefinition",
							"ecs:DescribeTasks",
							"ecs:ListClusters",
							"ecs:ListContainerInstances",
							"ecs:ListServices",
							"ecs:ListTaskDefinitionFamilies",
							"ecs:ListTaskDefinitions",
							"ecs:ListTasks",
							"elasticache:Describe*",
							"elasticache:List*",
							"elasticbeanstalk:Describe*",
							"elasticfilesystem:DescribeFileSystems",
							"elasticfilesystem:DescribeTags",
							"elasticloadbalancing:Describe*",
							"elasticmapreduce:Describe*",
							"elasticmapreduce:List*",
							"glacier:DescribeJob",
							"glacier:DescribeVault",
							"glacier:GetJobOutput",
							"glacier:GetVaultNotifications",
							"glacier:List*",
							"iam:GenerateCredentialReport",
							"iam:Get*",
							"iam:List*",
							"iot:DescribeThing",
							"iot:ListThings",
							"kms:DescribeKey",
							"kms:GetKeyPolicy",
							"kms:GetKeyRotationStatus",
							"kms:ListAliases",
							"kms:ListGrants",
							"kms:ListKeyPolicies",
							"kms:ListKeys",
							"kms:ListResourceTags",
							"lambda:ListFunctions",
							"lambda:ListTags",
							"Organizations:Describe*",
							"Organizations:List*",
							"rds:Describe*",
							"rds:List*",
							"redshift:Describe*",
							"route53:ListHealthChecks",
							"route53:ListHostedZones",
							"route53:ListResourceRecordSets",
							"s3:GetBucketACL",
							"s3:GetBucketLocation",
							"s3:GetBucketLogging",
							"s3:GetBucketNotification",
							"s3:GetBucketPolicy",
							"s3:GetBucketPublicAccessBlock",
							"s3:GetBucketTagging",
							"s3:GetBucketVersioning",
							"s3:GetBucketWebsite",
							"s3:GetEncryptionConfiguration",
							"s3:GetLifecycleConfiguration",
							"s3:List*",
							"sdb:DomainMetadata",
							"sdb:ListDomains",
							"ses:GetIdentityDkimAttributes",
							"ses:GetIdentityVerificationAttributes",
							"ses:GetSendQuota",
							"ses:GetSendStatistics",
							"ses:ListIdentities",
							"sns:GetSubscriptionAttributes",
							"sns:GetTopicAttributes",
							"sns:ListSubscriptionsByTopic",
							"sns:ListTopics",
							"sqs:GetQueueAttributes",
							"sqs:ListQueues",
							"ssm:ListAssociations",
							"ssm:ListDocuments",
							"ssm:ListDocumentVersions",
							"ssm:ListInstanceAssociations",
							"ssm:ListInventoryEntries",
							"ssm:ListResourceDataSync",
							"storagegateway:Describe*",
							"storagegateway:List*",
							"support:*",
							"swf:List*",
							"wellarchitected:Get*",
							"wellarchitected:List*",
							"workspaces:DescribeWorkspaceBundles",
							"workspaces:DescribeWorkspaceDirectories",
							"workspaces:DescribeWorkspaces"
						],
						"Resource":"*"
					}]
				}
			}
		},
		"InventoryPolicy2":{
			"Type":"AWS::IAM::Policy",
			"Condition":"IncludeInventory",
			"Properties":{
				"Roles":[{"Ref":"IamRole"}],
				"PolicyName":"CloudCheckr-Inventory-Policy2",
				"PolicyDocument":{
					"Version":"2012-10-17",
					"Statement":[{
						"Sid":"InventoryAndUtilization",
						"Effect":"Allow",
						"Action": [
							"es:DescribeElasticsearchDomains",
							"es:ListDomainNames",
							"es:ListTags",
							"kinesis:DescribeStream",
							"kinesis:GetShardIterator",
							"kinesis:ListStreams",
							"kinesis:ListTagsForStream",
							"eks:Describe*",
							"eks:List*",
							"kafka:Describe*",
							"kafka:List*",
							"kafka:Get*"
						],
						"Resource":"*"
					}]
				}
			}
		},
		"DbrPolicy":{
			"Type":"AWS::IAM::Policy",
			"Condition":"IncludeBillingBucket",
			"Properties":{
				"Roles":[{"Ref":"IamRole"}],
				"PolicyName":"CloudCheckr-DBR-Policy",
				"PolicyDocument":{
					"Version":"2012-10-17",
					"Statement":[{
						"Sid":"CostReadDBR",
						"Effect":"Allow",
						"Action":[
							"s3:GetBucketACL",
							"s3:GetBucketLocation",
							"s3:GetBucketLogging",
							"s3:GetBucketPolicy",
							"s3:GetBucketTagging",
							"s3:GetBucketWebsite",
							"s3:GetBucketNotification",
							"s3:GetLifecycleConfiguration",
							"s3:GetObject"
						],
						"Resource":[
							{ "Fn::Sub":"arn:${AWS::Partition}:s3:::${BillingBucket}" },
							{ "Fn::Sub":"arn:${AWS::Partition}:s3:::${BillingBucket}/*" }
						]
					}]
				}
			}
		},
		"CurPolicy":{
			"Type":"AWS::IAM::Policy",
			"Condition":"IncludeCurBucket",
			"Properties":{
				"Roles":[{"Ref":"IamRole"}],
				"PolicyName":"CloudCheckr-CUR-Policy",
				"PolicyDocument":{
					"Version":"2012-10-17",
					"Statement":[{
						"Sid":"CostReadCUR",
						"Action":[
							"s3:GetObject"
						],
						"Effect":"Allow",
						"Resource":[
							{ "Fn::Sub":"arn:${AWS::Partition}:s3:::${CurBucket}" },
							{ "Fn::Sub":"arn:${AWS::Partition}:s3:::${CurBucket}/*" }
						]
					}]
				}
			}
		},
		"CostPolicy": {
			"Type": "AWS::IAM::Policy",
			"Condition": "IncludeCost",
			"Properties": {
				"PolicyName": "CloudCheckr-Cost-Policy",
				"PolicyDocument": {
					"Version": "2012-10-17",
					"Statement": [{
						"Sid": "CloudCheckrCostPermissions",
						"Action": [
							"ce:GetReservationUtilization",
							"ce:GetSavingsPlansPurchaseRecommendation",
							"ce:GetReservationPurchaseRecommendation",
							"cur:DescribeReportDefinitions",
							"ec2:DescribeAccountAttributes",
							"ec2:DescribeAvailabilityZones",
							"ec2:DescribeReservedInstancesOfferings",
							"ec2:DescribeReservedInstances",
							"ec2:DescribeReservedInstancesListings",
							"ec2:DescribeHostReservationOfferings",
							"ec2:DescribeReservedInstancesModifications",
							"ec2:DescribeHostReservations",
							"ec2:DescribeInstances",
							"ec2:DescribeInstanceStatus",
							"ec2:DescribeRegions",
							"ec2:DescribeKeyPairs",
							"ec2:DescribePlacementGroups",
							"ec2:DescribeAddresses",
							"ec2:DescribeSpotInstanceRequests",
							"ec2:DescribeImages",
							"ec2:DescribeImageAttribute",
							"ec2:DescribeSnapshots",
							"ec2:DescribeVolumes",
							"ec2:DescribeTags",
							"ec2:DescribeNetworkInterfaces",
							"ec2:DescribeSecurityGroups",
							"ec2:DescribeInstanceAttribute",
							"ec2:DescribeVolumeStatus",
							"elasticache:DescribeReservedCacheNodes",
							"elasticache:DescribeReservedCacheNodesOfferings",
							"es:DescribeReservedElasticsearchInstances",
							"rds:DescribeReservedDBInstances",
							"rds:DescribeReservedDBInstancesOfferings",
							"rds:DescribeDBInstances",
							"redshift:DescribeReservedNodes",
							"redshift:DescribeReservedNodeOfferings",
							"s3:GetBucketACL",
							"s3:GetBucketLocation",
							"s3:GetBucketLogging",
							"s3:GetBucketPolicy",
							"s3:GetBucketTagging",
							"s3:GetBucketWebsite",
							"s3:GetBucketNotification",
							"s3:GetLifecycleConfiguration",
							"s3:List*",
							"dynamodb:DescribeReservedCapacity",
							"dynamodb:DescribeReservedCapacityOfferings",
							"iam:GetAccountAuthorizationDetails",
							"iam:ListRolePolicies",
							"iam:ListAttachedRolePolicies",
							"savingsplans:DescribeSavingsPlans"
						],
						"Effect": "Allow",
						"Resource": "*"
					}]
				},
				"Roles":[{"Ref":"IamRole"}]
			}
		}
	},
	"Outputs": {
		"RoleArn":{
			"Description":"ARN of the IAM Role",
			"Value":{"Fn::GetAtt":["IamRole","Arn"]}
		},
		"RoleId": {
			"Description":"Id of the IAM Role",
			"Value":{"Fn::GetAtt":["IamRole","RoleId"]}
		}
	}
}