alisade · October 27, 2025 04:39
diff --git a/gistfile1.txt b/gistfile1.txt
    // Enable GuardDuty delegated admin
    if (enableGuardDuty) {
      const guardDutyPolicy = cr.AwsCustomResourcePolicy.fromStatements([
        // from https://docs.aws.amazon.com/guardduty/latest/ug/organizations_permissions.html
        new iam.PolicyStatement({
          actions: [
            'guardduty:EnableOrganizationAdminAccount',
            'guardduty:ListOrganizationAdminAccounts',
            'guardduty:DisableOrganizationAdminAccount',
          ],
          resources: ['*'],
        }),
        new iam.PolicyStatement({
          actions: [
            'organizations:EnableAWSServiceAccess',
            'organizations:RegisterDelegatedAdministrator',
            // ******************************************************************
            // * not in AWS documentation, but is needed o.w. deployment will fail
            'organizations:DeregisterDelegatedAdministrator',
            // ******************************************************************
            'organizations:ListDelegatedAdministrators',
            'organizations:ListAWSServiceAccessForOrganization',
            'organizations:DescribeOrganizationalUnit',
            'organizations:DescribeAccount',
            'organizations:DescribeOrganization',
            'organizations:ListAccounts',
          ],
          resources: ['*'],
        }),
        new iam.PolicyStatement({
          actions: ['iam:CreateServiceLinkedRole'],
          resources: ['*'],
          conditions: {
            StringEquals: {
              'iam:AWSServiceName': 'guardduty.amazonaws.com',
            },
          },
        }),
      ]);
	// Enable GuardDuty delegated admin
	if (enableGuardDuty) {
	const guardDutyPolicy = cr.AwsCustomResourcePolicy.fromStatements([
	// from https://docs.aws.amazon.com/guardduty/latest/ug/organizations_permissions.html
	new iam.PolicyStatement({
	actions: [
	'guardduty:EnableOrganizationAdminAccount',
	'guardduty:ListOrganizationAdminAccounts',
	'guardduty:DisableOrganizationAdminAccount',
	],
	resources: ['*'],
	}),
	new iam.PolicyStatement({
	actions: [
	'organizations:EnableAWSServiceAccess',
	'organizations:RegisterDelegatedAdministrator',
	// ******************************************************************
	// * not in AWS documentation, but is needed o.w. deployment will fail
	'organizations:DeregisterDelegatedAdministrator',
	// ******************************************************************
	'organizations:ListDelegatedAdministrators',
	'organizations:ListAWSServiceAccessForOrganization',
	'organizations:DescribeOrganizationalUnit',
	'organizations:DescribeAccount',
	'organizations:DescribeOrganization',
	'organizations:ListAccounts',
	],
	resources: ['*'],
	}),
	new iam.PolicyStatement({
	actions: ['iam:CreateServiceLinkedRole'],
	resources: ['*'],
	conditions: {
	StringEquals: {
	'iam:AWSServiceName': 'guardduty.amazonaws.com',
	},
	},
	}),
	]);