github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/pkg/scanners/cloudformation/test/examples/roles/roles.yml

github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/pkg/scanners/cloudformation/test/examples/roles/roles.yml (about)

     1  Resources:
     2    LambdaAPIRole:
     3      Type: "AWS::IAM::Role"
     4      Properties:
     5        RoleName: "${self:service}-${self:provider.stage}-LambdaAPI"
     6        Policies:
     7          - PolicyName: "${self:service}-${self:provider.stage}-lambda"
     8            PolicyDocument:
     9              Version: "2012-10-17"
    10              Statement:
    11                - Effect: Allow
    12                  Action:
    13                    - "logs:CreateLogStream"
    14                    - "logs:CreateLogGroup"
    15                    - "logs:PutLogEvents"
    16                  Resource: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${self:service}-${self:provider.stage}*:*"
    17          - !If
    18            - EnableCrossAccountSnsPublish
    19            - PolicyName: "${self:service}-${self:provider.stage}-asngen-sns-publish"
    20              PolicyDocument:
    21                Version: "2012-10-17"
    22                Statement:
    23                  - Effect: Allow
    24                    Action:
    25                      - "SNS:Publish"
    26                    Resource:
    27                      - !Sub "arn:aws:sns:${self:provider.region}:${self:provider.itopia_account_id}:${self:provider.stage}-*-PurchaseOrder.fifo"
    28                      - !Sub "arn:aws:sns:${self:provider.region}:${self:provider.itopia_account_id}:${self:provider.stage}-*-Vendor.fifo"
    29                      - !Sub "arn:aws:sns:${self:provider.region}:${self:provider.itopia_account_id}:${self:provider.stage}-*-Customer.fifo"
    30                      - !Sub "arn:aws:sns:${self:provider.region}:${self:provider.itopia_account_id}:${self:provider.stage}-*-Manufacturer.fifo"
    31                      - !Sub "arn:aws:sns:${self:provider.region}:${self:provider.itopia_account_id}:${self:provider.stage}-*-ManufacturerItem.fifo"
    32                      - !Sub "arn:aws:sns:${self:provider.region}:${self:provider.itopia_account_id}:${self:provider.stage}-*-Item.fifo"
    33                      - !Sub "arn:aws:sns:${self:provider.region}:${self:provider.itopia_account_id}:${self:provider.stage}-*-VendorItem.fifo"
    34            - !Ref "AWS::NoValue"
    35        AssumeRolePolicyDocument:
    36          Version: "2012-10-17"
    37          Statement:
    38            - Effect: Allow
    39              Principal:
    40                Service:
    41                  - "lambda.amazonaws.com"
    42              Action:
    43                - "sts:AssumeRole"
    44  
    45  
    46  
    47  
    48  Conditions:
    49    EnableCrossAccountSnsPublish: !Equals
    50      - ${env:ALLOW_SNS_PUBLISH, true}
    51      - true