From 3ce69df5cba936a1e8cec82d3f02893b6e320456 Mon Sep 17 00:00:00 2001 From: Khai Do Date: Wed, 13 Mar 2024 13:23:38 -0700 Subject: [PATCH] add CloudWatch-CrossAccountSharingRole to transit account --- ...cloudwatch-cross-account-sharing-role.yaml | 72 ------------------- .../740-cloudwatch-dashboard/_tasks.yaml | 4 +- 2 files changed, 1 insertion(+), 75 deletions(-) delete mode 100644 org-formation/600-access/cloudwatch-cross-account-sharing-role.yaml diff --git a/org-formation/600-access/cloudwatch-cross-account-sharing-role.yaml b/org-formation/600-access/cloudwatch-cross-account-sharing-role.yaml deleted file mode 100644 index 6df04669..00000000 --- a/org-formation/600-access/cloudwatch-cross-account-sharing-role.yaml +++ /dev/null @@ -1,72 +0,0 @@ -# Auto generated by AWS when manually configuring CloudWatch data sharing -AWSTemplateFormatVersion: '2010-09-09' -Description: Enables CloudWatch in central monitoring accounts to assume permissions to view CloudWatch data in the current account - -Parameters: - MonitoringAccountIds: - Description: Allows one or more monitoring accounts to view your data. Enter AWS account ids, 12 numeric digits in comma-separated list - Type: CommaDelimitedList - - Policy: - Description: The level of access to give to the Monitoring accounts - Type: String - Default: CloudWatch-and-AutomaticDashboards - AllowedValues: - - CloudWatch-and-AutomaticDashboards - - CloudWatch-and-ServiceLens - - CloudWatch-AutomaticDashboards-and-ServiceLens - - CloudWatch-core-permissions - - View-Access-for-all-services - -Conditions: - DoFullReadOnly: !Equals [ !Ref Policy, View-Access-for-all-services ] - DoAutomaticDashboards: !Equals [ !Ref Policy, CloudWatch-and-AutomaticDashboards ] - DoServiceLens: !Equals [ !Ref Policy, CloudWatch-and-ServiceLens ] - DoServiceLensAndAutomaticDashboards: !Equals [ !Ref Policy, CloudWatch-AutomaticDashboards-and-ServiceLens ] - DoCWReadOnly: !Equals [ !Ref Policy, CloudWatch-core-permissions ] - -Resources: - CWCrossAccountSharingRole: - Type: AWS::IAM::Role - Properties: - RoleName: CloudWatch-CrossAccountSharingRole - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Principal: - AWS: !Split - - ',' - - !Sub - - 'arn:aws:iam::${inner}:root' - - inner: !Join - - ':root,arn:aws:iam::' - - Ref: MonitoringAccountIds - Action: - - sts:AssumeRole - Path: "/" - ManagedPolicyArns: !If - - DoFullReadOnly - - - - arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess - - arn:aws:iam::aws:policy/CloudWatchAutomaticDashboardsAccess - - arn:aws:iam::aws:policy/job-function/ViewOnlyAccess - - arn:aws:iam::aws:policy/AWSXrayReadOnlyAccess - - !If - - DoAutomaticDashboards - - - - arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess - - arn:aws:iam::aws:policy/CloudWatchAutomaticDashboardsAccess - - !If - - DoServiceLens - - - - arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess - - arn:aws:iam::aws:policy/AWSXrayReadOnlyAccess - - !If - - DoServiceLensAndAutomaticDashboards - - - - arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess - - arn:aws:iam::aws:policy/CloudWatchAutomaticDashboardsAccess - - arn:aws:iam::aws:policy/AWSXrayReadOnlyAccess - - - - arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess diff --git a/org-formation/740-cloudwatch-dashboard/_tasks.yaml b/org-formation/740-cloudwatch-dashboard/_tasks.yaml index f11e7607..90ff8d21 100644 --- a/org-formation/740-cloudwatch-dashboard/_tasks.yaml +++ b/org-formation/740-cloudwatch-dashboard/_tasks.yaml @@ -37,8 +37,6 @@ CrossAccountSharingRole: DefaultOrganizationBindingRegion: !Ref primaryRegion DefaultOrganizationBinding: Account: '*' - ExcludeAccount: - - !Ref MonitorCentralAccount - - !Ref TransitAccount + ExcludeAccount: !Ref MonitorCentralAccount Parameters: MonitoringAccountIds: !Ref MonitorCentralAccount