Sunday, September 20, 2020

S3 IAM Roles - Cloud Formation Template

 

{
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "IAM Role for S3",
"Parameters" : {
"KeyName" : {
"Description" : "EC2 KeyPair",
"Type" : "AWS::EC2::KeyPair::KeyName"
},
"myVPC": {
"Description" : "Learning Activity Provided VPC",
"Type" : "String",
"Default" : "vpc-XXXXXXXX"
},
"MySubnet": {
"Description" : "Learning Activity Provided subnet",
"Type": "String",
"Default": "subnet-XXXXXXXX"
},
"InstanceType1" : {
"Description" : "EC2 instances allowed",
"Type" : "String",
"Default" : "t2.micro",
"AllowedValues" : ["t2.micro", "t2.small"]
}
},
"Mappings" : {
"AMIs" : {
"us-east-1" : {
"Name" : "ami-8c1be5f6"
},
"us-east-2" : {
"Name" : "ami-c5062ba0"
},
"eu-west-1" : {
"Name" : "ami-acd005d5"
}
}
},
"Resources" : {
"EC2WithRole" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"InstanceType" : {
"Ref" : "InstanceType1"
},
"SubnetId": { "Ref": "MySubnet" },
"ImageId" : {
"Fn::FindInMap" : [
"AMIs",
{
"Ref" : "AWS::Region"
},
"Name"
]
},
"KeyName" : {
"Ref" : "KeyName"
},
"IamInstanceProfile" : {
"Ref" : "ListBuckets"
},
"SecurityGroupIds" : [
{
"Ref" : "MySG"
}
],
"Tags" : [
{
"Key" : "Name",
"Value" : "EC2WithRole"
}
]
}
},
"MySG" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"VpcId" : {"Ref" : "myVPC"},
"GroupDescription" : "Allow SSH access from anywhere",
"SecurityGroupIngress" : [
{
"FromPort" : "22",
"ToPort" : "22",
"IpProtocol" : "tcp",
"CidrIp" : "0.0.0.0/0"
}
],
"Tags" : [
{
"Key" : "Name",
"Value" : "MySG"
}
]
}
},
"ListBuckets" : {
"Type" : "AWS::IAM::InstanceProfile",
"Properties" : {
"Path" : "/",
"Roles" : [
{
"Ref" : "S3BucketRole"
}
]
}
},
"S3BucketPolicy" : {
"Type" : "AWS::IAM::Policy",
"Properties" : {
"PolicyName" : "S3BucketPolicy",
"PolicyDocument" : {
"Statement" : [
{
"Effect" : "Allow",
"Action" : [
"s3:List*",
"s3:CreateBucket"
],
"Resource" : "*"
}
]
},
"Roles" : [
{
"Ref" : "S3BucketRole"
}
]
}
},
"S3BucketRole" : {
"Type" : "AWS::IAM::Role",
"Properties" : {
"AssumeRolePolicyDocument": {
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"Service" : ["ec2.amazonaws.com"]
},
"Action" : [
"sts:AssumeRole"
]
}
]
},
"Path" : "/"
}
}
},
"Outputs" : {
"EC2" : {
"Description" : "EC2 IP address",
"Value" : {
"Fn::Join" : [
"",
[
"ssh ec2-user@",
{
"Fn::GetAtt" : [
"EC2WithRole",
"PublicIp"
]
},
" -i ",
{
"Ref" : "KeyName"
},
".pem"
]
]
}
}
}
}