Skip to content

In aws-orgs.md, the paragraph about the security-audit role should say how to create it across an AWS organization #214

New issue
New issue
Open
Open
In aws-orgs.md, the paragraph about the security-audit role should say how to create it across an AWS organization#214
@miltieIV2

Description

@miltieIV2
miltieIV2
opened on Jun 26, 2025

Slack thread: https://turbot-community.slack.com/archives/C01UECB59A7/p1750880846977429

Some version of this AWS CloudFormation StackSet should be added to https://github.com/turbot/steampipe-samples/tree/main/all/aws-organizations-scripts

AWSTemplateFormatVersion: "2010-09-09"
Parameters:
  OrgMainAccountId:
    Type: String
    Default: "123456789012"

Resources:
  CloudFormationStackSetSecurityAuditRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: security-audit
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              AWS:
                - !Sub "arn:aws:iam::${OrgMainAccountId}:root"
            Action: 
              - "sts:AssumeRole"
              - "sts:TagSession"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/SecurityAudit"
      MaxSessionDuration: 10800 # 3 hours in seconds
      Description: Role for TurboT steampipe

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions