Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
1 contributor

Users who have contributed to this file

198 lines (172 sloc) 5.16 KB
# Note: Policy to Allow EC2 instance full access to S3 & CloudWatch,
# Policy to Allow EC2 VPC Logs to CloudWatch
#
---
AWSTemplateFormatVersion: "2010-09-09"
Description: >
Policy to Allow EC2 instance full access to S3 & CloudWatch.
Policy to Allow EC2 VPC Logs to CloudWatch
Parameters:
PMServerEnv:
Description: "Server Environment name."
ConstraintDescription: "Invalid environment name. Choose an environment from the list"
Type: "String"
AllowedValues:
- "dev"
- "staging"
- "prod"
Resources:
IAMS3CW:
Type: "AWS::IAM::Role"
Properties:
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/CloudWatchFullAccess"
- "arn:aws:iam::aws:policy/AmazonS3FullAccess"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- "ec2.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
# AWS::IAM::InstanceProfile
# Creates an AWS Identity and Access Management (IAM) Instance Profile that can be used with IAM Roles for EC2 Instances.
IAMS3CWInstanceProfile:
Type: "AWS::IAM::InstanceProfile"
Properties:
Path: "/"
Roles:
-
Ref: "IAMS3CW"
IAMVPCLog:
Type: "AWS::IAM::Role"
Properties:
# Update Inline or Custom Policy
Policies:
-
PolicyName: "Custom-VPC-Log"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "logs:CreateLogGroup"
- "logs:CreateLogStream"
- "logs:PutLogEvents"
- "logs:DescribeLogGroups"
- "logs:DescribeLogStreams"
Resource: "*"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- "vpc-flow-logs.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
# AWS::IAM::InstanceProfile
# Creates an AWS Identity and Access Management (IAM) Instance Profile that can be used with IAM Roles for EC2 Instances.
IAMVPCLogInstanceProfile:
Type: "AWS::IAM::InstanceProfile"
Properties:
Path: "/"
Roles:
-
Ref: "IAMVPCLog"
IAMECS:
Type: "AWS::IAM::Role"
Properties:
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/AmazonEC2ContainerServiceFullAccess"
- "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- "ec2.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
# AWS::IAM::InstanceProfile
# Creates an AWS Identity and Access Management (IAM) Instance Profile that can be used with IAM Roles for ECS Clusters.
IAMECSInstanceProfile:
Type: "AWS::IAM::InstanceProfile"
Properties:
Path: "/"
Roles:
-
Ref: "IAMECS"
IAMECSServiceRole:
Type: 'AWS::IAM::Role'
Properties:
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole'
AssumeRolePolicyDocument:
Version: '2008-10-17'
Statement:
- Effect: 'Allow'
Principal:
Service: 'ecs.amazonaws.com'
Action: 'sts:AssumeRole'
IAMScalableTargetRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: "Allow"
Principal:
Service: 'application-autoscaling.amazonaws.com'
Action: 'sts:AssumeRole'
Path: '/'
Policies:
- PolicyName: "ecs"
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: "Allow"
Action:
- 'ecs:DescribeServices'
- 'ecs:UpdateService'
Resource: '*'
- PolicyName: "cloudwatch"
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: "Allow"
Action:
- 'cloudwatch:DescribeAlarms'
Resource: '*'
Outputs:
IAMScalableTargetRole:
Description: "Policy to Allow EC2 instance full access to S3 & CloudWatch"
Value: !GetAtt "IAMScalableTargetRole.Arn"
IAMECSServiceRole:
Description: "Policy to Allow EC2 instance full access to S3 & CloudWatch"
Value: !Ref "IAMECSServiceRole"
IAMS3CWInstanceProfile:
Description: "Policy to Allow EC2 instance full access to S3 & CloudWatch"
Value: !Ref "IAMS3CWInstanceProfile"
IAMVPCLogInstanceProfile:
Description: "Policy to Allow EC2 VPC Logs to CloudWatch"
Value: !Ref "IAMVPCLogInstanceProfile"
IAMECSInstanceProfile:
Description: "Policy to Allow ECS clusters full access"
Value: !Ref "IAMECSInstanceProfile"
VPCFlowLogRoleArn:
Description: "Arn VPC Logs to CloudWatch"
Value:
Fn::GetAtt:
- "IAMVPCLog"
- "Arn"
You can’t perform that action at this time.