DeepSecurity のクロスアカウントロールを CloudFormation で


[Deep Security] AWSアカウント連携をIAM Roleで設定する を CloudFormation でやるには

<account_id>公式ドキュメント を参照

---
AWSTemplateFormatVersion: '2010-09-09'

Parameters:
  ExternalId:
    Type: 'String'

Resources:
  DeepSecurityDelegationRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: 'Allow'
            Condition:
              StringEquals:
                'sts:ExternalId':
                  Ref: 'ExternalId'
            Principal:
              AWS:
                - 'arn:aws:iam::<account_id>:root'
            Action:
              - 'sts:AssumeRole'

  DeepSecurityAWSIntegrationPolicy:
    Type: 'AWS::IAM::ManagedPolicy'
    Properties:
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: 'Allow'
            Action:
            - 'ec2:DescribeImages'
            - 'ec2:DescribeInstances'
            - 'ec2:DescribeRegions'
            - 'ec2:DescribeSubnets'
            - 'ec2:DescribeTags'
            - 'ec2:DescribeVpcs'
            - 'iam:ListAccountAliases'
            Resource: '*'
      Roles:
        - Ref: 'DeepSecurityDelegationRole'

Outputs:
  RoleArn:
    Value:
      'Fn::GetAtt':
        - 'DeepSecurityDelegationRole'
        - 'Arn'

  ExternalId:
    Value:
      Ref: 'ExternalId'

DeepSecurity 側の画面で CloudFormation の Outputs で出力された RoleArnクロスアカウントロールのARNExternalId外部ID へ入力。