/
domain-join-automation-role.yaml
46 lines (45 loc) · 1.43 KB
/
domain-join-automation-role.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
AWSTemplateFormatVersion: 2010-09-09
Parameters:
DomainJoinAutomationEC2Role:
Type: String
Description: Role Name for EC2 Domain Join Automation that will be created using this template
Default: EC2DomainJoinAutomation
Resources:
DomainJoinAutomationRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: !Ref DomainJoinAutomationEC2Role
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Version: "2012-10-17"
ManagedPolicyArns:
- !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore
Path: /
Policies:
- PolicyName: ssm-param-kms-policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'kms:Decrypt'
Resource:
- !ImportValue AD-Creds-KMS-Key-Arn
- Effect: Allow
Action:
- 'ssm:GetParameter*'
Resource:
- !ImportValue AD-Username-SSM-Param-Arn
- !ImportValue AD-Password-SSM-Param-Arn
InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
InstanceProfileName: !Ref DomainJoinAutomationEC2Role
Path: /
Roles:
- Ref: DomainJoinAutomationRole