Merge pull request #263 from IevIe/inspector-slr

cyphronix · web-flow · commit d1e0a5f8946a · 2024-09-18T12:35:23.000-06:00
SRA Inspector solution - CreateServiceLinkedRole permissions update
diff --git a/aws_sra_examples/solutions/inspector/inspector_org/templates/sra-inspector-org-configuration-role.yaml b/aws_sra_examples/solutions/inspector/inspector_org/templates/sra-inspector-org-configuration-role.yaml
@@ -126,18 +126,27 @@ Resources:
                 Action: iam:CreateServiceLinkedRole
                 Condition:
                   StringLike:
-                    iam:AWSServiceName: inspector2.amazonaws.com
-                Resource: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2
+                    iam:AWSServiceName:
+                      - inspector2.amazonaws.com
+                      - agentless.inspector2.amazonaws.com
+                Resource: 
+                  - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2
+                  - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/agentless.inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2Agentless
 
               - Sid: AllowPolicyActions
                 Effect: Allow
                 Action: iam:PutRolePolicy
-                Resource: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2
+                Resource:
+                  - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2
+                  - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/agentless.inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2Agentless
 
-              - Sid: AllowDeleteServiceLinkRole
+              - Sid: AllowDeleteServiceLinkedRole
                 Effect: Allow
                 Action: iam:DeleteServiceLinkedRole
-                Resource: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2
+                Resource:
+                  - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2
+                  - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/agentless.inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2Agentless
+
       Tags:
         - Key: sra-solution
           Value: !Ref pSRASolutionName
diff --git a/aws_sra_examples/solutions/inspector/inspector_org/templates/sra-inspector-org-configuration.yaml b/aws_sra_examples/solutions/inspector/inspector_org/templates/sra-inspector-org-configuration.yaml
@@ -320,18 +320,26 @@ Resources:
                 Action: iam:CreateServiceLinkedRole
                 Condition:
                   StringLike:
-                    iam:AWSServiceName: inspector2.amazonaws.com
-                Resource: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2
+                    iam:AWSServiceName:
+                      - inspector2.amazonaws.com
+                      - agentless.inspector2.amazonaws.com
+                Resource: 
+                  - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2
+                  - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/agentless.inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2Agentless
 
               - Sid: AllowPolicyActions
                 Effect: Allow
                 Action: iam:PutRolePolicy
-                Resource: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2
+                Resource:
+                  - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2
+                  - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/agentless.inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2Agentless
 
               - Sid: AllowDeleteServiceLinkedRole
                 Effect: Allow
                 Action: iam:DeleteServiceLinkedRole
-                Resource: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2
+                Resource:
+                  - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2
+                  - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/agentless.inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2Agentless
 
         - PolicyName: sra-inspector-org-policy-logs
           PolicyDocument:
