127 lines
4.2 KiB
YAML
127 lines
4.2 KiB
YAML
AWSTemplateFormatVersion: '2010-09-09'
|
|
|
|
Parameters:
|
|
PolicyName:
|
|
Type: String
|
|
Description: The name of the IAM policy that will be created
|
|
|
|
RoleName:
|
|
Type: String
|
|
Description: The name of the IAM role that will be created
|
|
|
|
Resources:
|
|
CfnPolicy:
|
|
Type: AWS::IAM::ManagedPolicy
|
|
Properties:
|
|
ManagedPolicyName: !Ref PolicyName
|
|
Path: /
|
|
PolicyDocument: >
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Sid": "VisualEditor0",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"logs:ListTagsLogGroup",
|
|
"kms:Decrypt",
|
|
"lambda:PublishLayerVersion",
|
|
"dynamodb:DescribeContributorInsights",
|
|
"dynamodb:ListTagsOfResource",
|
|
"iam:CreateRole",
|
|
"iam:AttachRolePolicy",
|
|
"ecr:ListTagsForResource",
|
|
"iam:PutRolePolicy",
|
|
"dynamodb:DeleteTable",
|
|
"ecr:DeleteRepository",
|
|
"dynamodb:UpdateContinuousBackups",
|
|
"iam:DetachRolePolicy",
|
|
"dynamodb:DescribeTable",
|
|
"kms:Encrypt",
|
|
"iam:DeleteRolePolicy",
|
|
"dynamodb:DescribeContinuousBackups",
|
|
"kms:DescribeKey",
|
|
"ecr:TagResource",
|
|
"dynamodb:DescribeKinesisStreamingDestination",
|
|
"kms:CreateGrant",
|
|
"ecr:GetLifecyclePolicy",
|
|
"iam:GetRole",
|
|
"logs:DescribeLogGroups",
|
|
"ecr:GetDownloadUrlForLayer",
|
|
"iam:DeleteRole",
|
|
"dynamodb:DescribeTimeToLive",
|
|
"logs:CreateLogGroup",
|
|
"dynamodb:CreateTable",
|
|
"iam:CreateServiceLinkedRole",
|
|
"kms:GenerateDataKey",
|
|
"ecr:BatchGetImage",
|
|
"logs:PutRetentionPolicy",
|
|
"iam:GetRolePolicy",
|
|
"ecr:GetRepositoryPolicy"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:lambda:*:*:layer:*",
|
|
"arn:aws:dynamodb:*:*:table/*",
|
|
"arn:aws:iam::*:role/*",
|
|
"arn:aws:kms:*:*:key/*",
|
|
"arn:aws:logs:*:*:log-group:*",
|
|
"arn:aws:ecr:*:*:repository/*"
|
|
]
|
|
},
|
|
{
|
|
"Sid": "VisualEditor1",
|
|
"Effect": "Allow",
|
|
"Action": "lambda:DeleteLayerVersion",
|
|
"Resource": "arn:aws:lambda:*:*:layer:*:*"
|
|
},
|
|
{
|
|
"Sid": "VisualEditor2",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"lambda:CreateFunction",
|
|
"lambda:GetLayerVersion",
|
|
"s3:CreateBucket",
|
|
"s3:GetBucketPolicy",
|
|
"iam:PassRole",
|
|
"ec2:DescribeNetworkInterfaces",
|
|
"s3:PutBucketTagging",
|
|
"lambda:GetRuntimeManagementConfig",
|
|
"sagemaker:*",
|
|
"lambda:DeleteFunction",
|
|
"ecr:DescribeRepositories",
|
|
"s3:DeleteBucket",
|
|
"states:*",
|
|
"sns:*",
|
|
"s3:PutBucketPublicAccessBlock",
|
|
"apigateway:*",
|
|
"lambda:InvokeFunction",
|
|
"lambda:GetFunction",
|
|
"ecr:CreateRepository",
|
|
"s3:PutBucketCORS",
|
|
"lambda:GetFunctionCodeSigningConfig",
|
|
"s3:GetObject",
|
|
"lambda:AddPermission",
|
|
"s3:PutBucketPolicy",
|
|
"lambda:RemovePermission"
|
|
],
|
|
"Resource": "*"
|
|
}
|
|
]
|
|
}
|
|
|
|
CfnRole:
|
|
Type: AWS::IAM::Role
|
|
Properties:
|
|
RoleName: !Ref RoleName
|
|
AssumeRolePolicyDocument:
|
|
Version: '2012-10-17'
|
|
Statement:
|
|
- Action:
|
|
- sts:AssumeRole
|
|
Effect: Allow
|
|
Principal:
|
|
Service:
|
|
- cloudformation.amazonaws.com
|
|
ManagedPolicyArns:
|
|
- !Ref CfnPolicy
|
|
Path: / |