{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Creates the Strategic Blue SbslTrader and SbslRiAuditor IAM roles, which allow Strategic Blue users to manage commitments in this account", "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Role-Based Access Control" }, "Parameters": [ "TrustedAccountId" ] } ], "ParameterLabels": { "TrustedAccountId": { "default": "Trusted Account Id" } } } }, "Parameters": { "TrustedAccountId": { "Description": "Enter trusted AWS account (Strategic Blue account).", "Type": "String", "MinLength": "12", "MaxLength": "12", "AllowedPattern": "^[0-9]{12}$" } }, "Resources": { "ROLETRADER": { "Type": "AWS::IAM::Role", "Properties": { "RoleName": "SbslTrader", "Description": "Allows Strategic Blue to purchase and manage Commitments within this account.", "Path": "/", "MaxSessionDuration": 43200, "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": { "Ref": "TrustedAccountId" } }, "Action": [ "sts:AssumeRole" ] } ] } } }, "POLICYTRADER1": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "sbsl-trader-access-1", "Roles": [ { "Ref": "ROLETRADER" } ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "SupportAccess", "Effect": "Allow", "Action": [ "support:*", "support-console:*", "trustedadvisor:DescribeAccount", "trustedadvisor:DescribeChecks" ], "Resource": "*" }, { "Sid": "CostExplorer", "Effect": "Allow", "Action": [ "ce:Get*", "ce:List*", "ce:Describe*", "ce:StartSavingsPlansPurchaseRecommendationGeneration" ], "Resource": "*" }, { "Sid": "TagCommitments", "Effect": "Allow", "Action": [ "tag:TagResources" ], "Resource": "*" }, { "Sid": "ManageSavingsPlans", "Effect": "Allow", "Action": [ "savingsplans:*" ], "Resource": "*" }, { "Sid": "ManageEc2Ris", "Effect": "Allow", "Action": [ "ec2:DescribeRegions", "ec2:DescribeAvailabilityZones", "ec2:GetHostReservationPurchasePreview", "ec2:DescribeHostReservationOfferings", "ec2:DescribeSpotPriceHistory", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeAccountAttributes", "ec2:DescribeReservedInstances", "ec2:DescribeReservedInstancesListings", "ec2:DescribeHostReservations", "ec2:DescribeReservedInstancesOfferings", "ec2:GetReservedInstancesExchangeQuote", "ec2:GetInstanceTypesFromInstanceRequirements", "ec2:DescribeInstanceTypes", "ec2:DescribeReservedInstancesModifications", "ec2:DescribeTags", "ec2:CreateTags", "ec2:DeleteTags", "ec2:PurchaseHostReservation", "ec2:PurchaseReservedInstancesOffering", "ec2:DeleteQueuedReservedInstances", "ec2:ModifyReservedInstances", "ec2:CreateReservedInstancesListing", "ec2:CancelReservedInstancesListing", "ec2:AcceptReservedInstancesExchangeQuote" ], "Resource": "*" }, { "Sid": "ManageRdsRis", "Effect": "Allow", "Action": [ "rds:DescribeDBEngineVersions", "rds:DescribeEngineDefaultParameters", "rds:DescribeAccountAttributes", "rds:AddTagsToResource", "rds:ListTagsForResource", "rds:RemoveTagsFromResource", "rds:DescribeReservedDBInstances", "rds:DescribeReservedDBInstancesOfferings", "rds:PurchaseReservedDBInstancesOffering" ], "Resource": "*" }, { "Sid": "ManageElastiCacheRis", "Effect": "Allow", "Action": [ "elasticache:DescribeServiceUpdates", "elasticache:DescribeCacheEngineVersions", "elasticache:DescribeReservedCacheNodes", "elasticache:DescribeReservedCacheNodesOfferings", "elasticache:RemoveTagsFromResource", "elasticache:AddTagsToResource", "elasticache:ListTagsForResource", "elasticache:PurchaseReservedCacheNodesOffering" ], "Resource": "*" }, { "Sid": "ManageElasticsearchRis", "Effect": "Allow", "Action": [ "es:ListVersions", "es:ListElasticsearchVersions", "es:ListInstanceTypeDetails", "es:ListElasticsearchInstanceTypeDetails", "es:ListElasticsearchInstanceTypes", "es:DescribeReservedInstances", "es:DescribeReservedElasticsearchInstances", "es:DescribeReservedInstanceOfferings", "es:DescribeReservedElasticsearchInstanceOfferings", "es:PurchaseReservedInstanceOffering", "es:PurchaseReservedElasticsearchInstanceOffering" ], "Resource": "*" }, { "Sid": "ManageRedshiftRis", "Effect": "Allow", "Action": [ "redshift:DescribeAccountAttributes", "redshift:DescribeReservedNodeOfferings", "redshift:GetReservedNodeExchangeConfigurationOptions", "redshift:DescribeReservedNodeExchangeStatus", "redshift:DescribeReservedNodes", "redshift:GetReservedNodeExchangeOfferings", "redshift:AcceptReservedNodeExchange", "redshift:GetReservedNodeExchangeOfferings", "redshift:PurchaseReservedNodeOffering" ], "Resource": "*" } ] } } }, "ROLERIAUDITOR": { "Type": "AWS::IAM::Role", "Properties": { "RoleName": "SbslRiAuditor", "Description": "Allows Strategic Blue to list and describe the commitments within this account.", "Path": "/", "MaxSessionDuration": 43200, "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": { "Ref": "TrustedAccountId" } }, "Action": [ "sts:AssumeRole" ] } ] } } }, "POLICYRIAUDITOR": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "sbsl-ri-auditor", "Roles": [ { "Ref": "ROLERIAUDITOR" } ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "AuditCommitments", "Effect": "Allow", "Action": [ "ec2:DescribeRegions", "ec2:DescribeReservedInstancesListings", "ec2:DescribeReservedInstancesModifications", "ec2:DescribeReservedInstances", "ec2:DescribeReservedInstancesOfferings", "ec2:GetReservedInstancesExchangeQuote", "elasticache:DescribeReservedCacheNodes", "elasticache:DescribeReservedCacheNodesOfferings", "es:DescribeReservedElasticsearchInstanceOfferings", "es:DescribeReservedElasticsearchInstances", "es:DescribeReservedInstanceOfferings", "es:DescribeReservedInstances", "rds:DescribeReservedDBInstances", "rds:DescribeReservedDBInstancesOfferings", "redshift:DescribeReservedNodeOfferings", "redshift:DescribeReservedNodes", "savingsplans:DescribeSavingsPlansOfferingRates", "savingsplans:DescribeSavingsPlansOfferings", "savingsplans:DescribeSavingsPlans", "savingsplans:DescribeSavingsPlanRates" ], "Resource": "*" } ] } } }, "ElastiCacheSLR": { "Type": "AWS::IAM::ServiceLinkedRole", "Properties": { "AWSServiceName": "elasticache.amazonaws.com" } }, "RDSSLR": { "Type": "AWS::IAM::ServiceLinkedRole", "Properties": { "AWSServiceName": "rds.amazonaws.com" } } } }