From 8f18b73258f7f130c8a09e9e4f323eb27a5b0b17 Mon Sep 17 00:00:00 2001
From: ievgeniia ieromenko <ieviero@amazon.com>
Date: Thu, 12 Sep 2024 22:28:08 -0400
Subject: [PATCH] adding permissions to create agentless slr

---
 .../sra-inspector-org-configuration-role.yaml | 19 ++++++++++++++-----
 .../sra-inspector-org-configuration.yaml      | 16 ++++++++++++----
 2 files changed, 26 insertions(+), 9 deletions(-)

diff --git a/aws_sra_examples/solutions/inspector/inspector_org/templates/sra-inspector-org-configuration-role.yaml b/aws_sra_examples/solutions/inspector/inspector_org/templates/sra-inspector-org-configuration-role.yaml
index bf44a2850..aa0e9f3cd 100644
--- a/aws_sra_examples/solutions/inspector/inspector_org/templates/sra-inspector-org-configuration-role.yaml
+++ b/aws_sra_examples/solutions/inspector/inspector_org/templates/sra-inspector-org-configuration-role.yaml
@@ -126,18 +126,27 @@ Resources:
                 Action: iam:CreateServiceLinkedRole
                 Condition:
                   StringLike:
-                    iam:AWSServiceName: inspector2.amazonaws.com
-                Resource: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2
+                    iam:AWSServiceName:
+                      - inspector2.amazonaws.com
+                      - agentless.inspector2.amazonaws.com
+                Resource: 
+                  - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2
+                  - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/agentless.inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2Agentless
 
               - Sid: AllowPolicyActions
                 Effect: Allow
                 Action: iam:PutRolePolicy
-                Resource: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2
+                Resource:
+                  - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2
+                  - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/agentless.inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2Agentless
 
-              - Sid: AllowDeleteServiceLinkRole
+              - Sid: AllowDeleteServiceLinkedRole
                 Effect: Allow
                 Action: iam:DeleteServiceLinkedRole
-                Resource: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2
+                Resource:
+                  - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2
+                  - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/agentless.inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2Agentless
+
       Tags:
         - Key: sra-solution
           Value: !Ref pSRASolutionName
diff --git a/aws_sra_examples/solutions/inspector/inspector_org/templates/sra-inspector-org-configuration.yaml b/aws_sra_examples/solutions/inspector/inspector_org/templates/sra-inspector-org-configuration.yaml
index 7f53dbb51..e6bd65335 100644
--- a/aws_sra_examples/solutions/inspector/inspector_org/templates/sra-inspector-org-configuration.yaml
+++ b/aws_sra_examples/solutions/inspector/inspector_org/templates/sra-inspector-org-configuration.yaml
@@ -320,18 +320,26 @@ Resources:
                 Action: iam:CreateServiceLinkedRole
                 Condition:
                   StringLike:
-                    iam:AWSServiceName: inspector2.amazonaws.com
-                Resource: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2
+                    iam:AWSServiceName:
+                      - inspector2.amazonaws.com
+                      - agentless.inspector2.amazonaws.com
+                Resource: 
+                  - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2
+                  - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/agentless.inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2Agentless
 
               - Sid: AllowPolicyActions
                 Effect: Allow
                 Action: iam:PutRolePolicy
-                Resource: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2
+                Resource:
+                  - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2
+                  - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/agentless.inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2Agentless
 
               - Sid: AllowDeleteServiceLinkedRole
                 Effect: Allow
                 Action: iam:DeleteServiceLinkedRole
-                Resource: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2
+                Resource:
+                  - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2
+                  - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/agentless.inspector2.amazonaws.com/AWSServiceRoleForAmazonInspector2Agentless
 
         - PolicyName: sra-inspector-org-policy-logs
           PolicyDocument: