-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathPrimeModality.cfn
72 lines (72 loc) · 2.28 KB
/
PrimeModality.cfn
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
AWSTemplateFormatVersion: 2010-09-09
Description: |
Prime Modality Assume Role for accessing the specific AWS resources.
Resources:
# IAM role which Prime Modality will be Assuming (STS:AssumeRole)
PrimeModalityAssumeRole:
Type: AWS::IAM::Role
Properties:
Path: /
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
AWS:
- "arn:aws:iam::650238966022:role/prime_modality_assume"
Action: 'sts:AssumeRole'
Condition:
StringEquals:
'sts:ExternalId': !Ref ExternalId
Policies:
- PolicyName: Ec2ReadAccess
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "ec2:DescribeInstances"
- "ec2:DescribeSnapshots"
Resource: '*'
- PolicyName: Ec2CreateAccess
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "ec2:CreateSnapshots"
- "ec2:CreateSnapshot"
- "ec2:CreateTags"
Resource: '*'
- PolicyName: Ec2DeleteAccess
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "ec2:DeleteSnapshot"
Resource: '*'
Condition:
StringEquals:
'aws:ResourceTag/Name': "PrimeModalityScanSnapshot"
- PolicyName: Ec2ModifyAccess
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "ec2:ModifySnapshotAttribute"
Resource: '*'
Condition:
StringEquals:
'aws:ResourceTag/Name': "PrimeModalityScanSnapshot"
Parameters:
# Provide the external id given to you by Prime Modality
ExternalId:
Description: The external id given to you by Prime Modality
Type: String
Outputs:
RoleARN:
Description: The ARN of created role
Value: !GetAtt PrimeModalityAssumeRole.Arn