cloudformation-project1/infrastructure/webapp-iam.yaml at master · Divinreddy/cloudformation-project1 · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
# Note: Policy to Allow EC2 instance full access to S3 & CloudWatch,
# Policy to Allow EC2 VPC Logs to CloudWatch
#
---
AWSTemplateFormatVersion: "2010-09-09"
Description: >
    Policy to Allow EC2 instance full access to S3 & CloudWatch.
    Policy to Allow EC2 VPC Logs to CloudWatch

Parameters:

  PMServerEnv:
    Description: "Server Environment name."
    ConstraintDescription: "Invalid environment name. Choose an environment from the list"
    Type: "String"
    AllowedValues:
      - "dev"
      - "staging"
      - "prod"

Resources:

  IAMS3CW:
    Type: "AWS::IAM::Role"
    Properties:
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/CloudWatchFullAccess"
        - "arn:aws:iam::aws:policy/AmazonS3FullAccess"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          -
            Effect: "Allow"
            Principal:
              Service:
                - "ec2.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      Path: "/"

  # AWS::IAM::InstanceProfile
  # Creates an AWS Identity and Access Management (IAM) Instance Profile that can be used with IAM Roles for EC2 Instances.
  IAMS3CWInstanceProfile:
    Type: "AWS::IAM::InstanceProfile"
    Properties:
      Path: "/"
      Roles:
        -
          Ref: "IAMS3CW"


  IAMVPCLog:
    Type: "AWS::IAM::Role"
    Properties:
      # Update Inline or Custom Policy
      Policies:
        -
          PolicyName: "Custom-VPC-Log"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              -
                Effect: "Allow"
                Action:
                - "logs:CreateLogGroup"
                - "logs:CreateLogStream"
                - "logs:PutLogEvents"
                - "logs:DescribeLogGroups"
                - "logs:DescribeLogStreams"
                Resource: "*"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          -
            Effect: "Allow"
            Principal:
              Service:
                - "vpc-flow-logs.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      Path: "/"

  # AWS::IAM::InstanceProfile
  # Creates an AWS Identity and Access Management (IAM) Instance Profile that can be used with IAM Roles for EC2 Instances.
  IAMVPCLogInstanceProfile:
    Type: "AWS::IAM::InstanceProfile"
    Properties:
      Path: "/"
      Roles:
        -
          Ref: "IAMVPCLog"


Outputs:

  IAMS3CWInstanceProfile:
    Description: "Policy to Allow EC2 instance full access to S3 & CloudWatch"
    Value: !Ref "IAMS3CWInstanceProfile"

  IAMVPCLogInstanceProfile:
    Description: "Policy to Allow EC2 VPC Logs to CloudWatch"
    Value: !Ref "IAMVPCLogInstanceProfile"

  VPCFlowLogRoleArn:
    Description: "Arn VPC Logs to CloudWatch"
    Value:
      Fn::GetAtt:
      - "IAMVPCLog"
      - "Arn"