{
  "Parameters" : {
    "AWSAccountID" : {
      "Description": "The Partner AWS Account ID To trust",
      "Type" : "String",
      "Default": 780611606251
    },
    "ExternalId" : {
      "Description": "The External ID from Dash ComplyOps to associate role",
      "Type" : "String",
      "MinLength" : "6",
      "AllowedPattern" : "^[a-zA-Z0-9]*$"
    }
  },
  "Resources": {
    "DashComplyopsAuditPolicy": {
      "Type": "AWS::IAM::ManagedPolicy",
      "Properties": {
        "ManagedPolicyName": "DashComplyopsAuditPolicy",
        "Description": "Dash ComplyOps auditing permissions for AWS account scanning",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Action": [
                "config:describeDeliveryChannels",
                "config:describeConfigRules",
                "config:putDeliveryChannel",
                "config:DeleteEvaluationResults",
                "config:StartConfigRulesEvaluation",
                "config:PutConfigRule",
                "config:DeleteConfigRule"
              ],
              "Resource": "*",
              "Effect": "Allow"
            },
            {
              "Action": [
                "sns:ListSubscriptionsByTopic",
                "sns:listTopics",
                "sns:createTopic",
                "sns:subscribe",
                "sns:unsubscribe",
                "sns:confirmSubscription"
              ],
              "Resource": "*",
              "Effect": "Allow"
            }
          ]
        },
        "Roles": [
          {
            "Ref": "DashComplyopsScanRole"
          }
        ]
      }
    },
    "DashComplyopsScanRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "RoleName": "DashComplyopsScanRole",
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "AWS": {
                  "Fn::Join": [
                    "",
                    [
                      "arn:aws:iam::",
                      {
                        "Ref": "AWSAccountID"
                      },
                      ":root"
                    ]
                  ]
                }
              },
              "Action": "sts:AssumeRole",
              "Condition": {
                "StringEquals": {
                  "sts:ExternalId": { "Ref": "ExternalId" }
                }
              }
            }
          ]
        },
        "ManagedPolicyArns": [
          "arn:aws:iam::aws:policy/AWSSecurityHubReadOnlyAccess",
          "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess",
          "arn:aws:iam::aws:policy/AmazonVPCReadOnlyAccess",
          "arn:aws:iam::aws:policy/SecurityAudit",
          "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess",
          "arn:aws:iam::aws:policy/IAMReadOnlyAccess",
          "arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess",
          "arn:aws:iam::aws:policy/AWSLambda_ReadOnlyAccess"
        ]
      }
    }
  },
  "Outputs": {
    "AWSAccountID": {
      "Description": "Your AWS Account ID",
      "Value": { "Ref": "AWS::AccountId" }
    }
  }
}