Skip to content

In aws-orgs.md, the paragraph about the security-audit role should say how to create it across an AWS organization #214

Description

@miltieIV2

Slack thread: https://turbot-community.slack.com/archives/C01UECB59A7/p1750880846977429

Some version of this AWS CloudFormation StackSet should be added to https://github.com/turbot/steampipe-samples/tree/main/all/aws-organizations-scripts

AWSTemplateFormatVersion: "2010-09-09"
Parameters:
  OrgMainAccountId:
    Type: String
    Default: "123456789012"

Resources:
  CloudFormationStackSetSecurityAuditRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: security-audit
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              AWS:
                - !Sub "arn:aws:iam::${OrgMainAccountId}:root"
            Action: 
              - "sts:AssumeRole"
              - "sts:TagSession"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/SecurityAudit"
      MaxSessionDuration: 10800 # 3 hours in seconds
      Description: Role for TurboT steampipe

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions