Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
113 lines (96 sloc) 2.84 KB
# Note: Policy to Allow EC2 instance full access to S3 & CloudWatch,
# Policy to Allow EC2 VPC Logs to CloudWatch
#
---
AWSTemplateFormatVersion: "2010-09-09"
Description: >
Policy to Allow EC2 instance full access to S3 & CloudWatch.
Policy to Allow EC2 VPC Logs to CloudWatch
Parameters:
PMServerEnv:
Description: "Server Environment name."
ConstraintDescription: "Invalid environment name. Choose an environment from the list"
Type: "String"
AllowedValues:
- "dev"
- "staging"
- "prod"
Resources:
IAMS3CW:
Type: "AWS::IAM::Role"
Properties:
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/CloudWatchFullAccess"
- "arn:aws:iam::aws:policy/AmazonS3FullAccess"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- "ec2.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
# AWS::IAM::InstanceProfile
# Creates an AWS Identity and Access Management (IAM) Instance Profile that can be used with IAM Roles for EC2 Instances.
IAMS3CWInstanceProfile:
Type: "AWS::IAM::InstanceProfile"
Properties:
Path: "/"
Roles:
-
Ref: "IAMS3CW"
IAMVPCLog:
Type: "AWS::IAM::Role"
Properties:
# Update Inline or Custom Policy
Policies:
-
PolicyName: "Custom-VPC-Log"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "logs:CreateLogGroup"
- "logs:CreateLogStream"
- "logs:PutLogEvents"
- "logs:DescribeLogGroups"
- "logs:DescribeLogStreams"
Resource: "*"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- "vpc-flow-logs.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
# AWS::IAM::InstanceProfile
# Creates an AWS Identity and Access Management (IAM) Instance Profile that can be used with IAM Roles for EC2 Instances.
IAMVPCLogInstanceProfile:
Type: "AWS::IAM::InstanceProfile"
Properties:
Path: "/"
Roles:
-
Ref: "IAMVPCLog"
Outputs:
IAMS3CWInstanceProfile:
Description: "Policy to Allow EC2 instance full access to S3 & CloudWatch"
Value: !Ref "IAMS3CWInstanceProfile"
IAMVPCLogInstanceProfile:
Description: "Policy to Allow EC2 VPC Logs to CloudWatch"
Value: !Ref "IAMVPCLogInstanceProfile"
VPCFlowLogRoleArn:
Description: "Arn VPC Logs to CloudWatch"
Value:
Fn::GetAtt:
- "IAMVPCLog"
- "Arn"
You can’t perform that action at this time.