docs/source/_static/managed-policies/AWSQuickSetupPatchPolicyDeploymentRolePolicy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CfnRead",
"Effect": "Allow",
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackDriftDetectionStatus",
"cloudformation:ListStacks"
],
"Resource": [
"*"
]
},
{
"Sid": "CfnManage",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:UpdateStack",
"cloudformation:DeleteStack",
"cloudformation:CreateChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStackResourceDrifts",
"cloudformation:DetectStackDrift",
"cloudformation:DetectStackResourceDrift"
],
"Resource": [
"arn:aws:cloudformation:*:*:stack/StackSet-AWS-QuickSetup-*"
]
},
{
"Sid": "RGroupsGet",
"Effect": "Allow",
"Action": [
"resource-groups:GetGroupQuery"
],
"Resource": [
"*"
]
},
{
"Sid": "S3BucketsList",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"*"
]
},
{
"Sid": "AccessLogsBucketManage",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteBucketPolicy",
"s3:Put*",
"s3:Get*",
"s3:List*"
],
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": [
"cloudformation.amazonaws.com"
]
},
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
},
"Resource": [
"arn:aws:s3:::aws-quicksetup-patchpolicy-access-log-*"
]
},
{
"Sid": "LambdaManage",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:UpdateFunction*",
"lambda:GetFunction",
"lambda:ListTags",
"lambda:TagResource",
"lambda:DeleteFunction",
"lambda:InvokeFunction",
"lambda:UntagResource"
],
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": [
"cloudformation.amazonaws.com"
]
},
"StringEquals": {
"aws:ResourceAccount": [
"${aws:PrincipalAccount}"
]
}
},
"Resource": [
"arn:aws:lambda:*:*:function:baseline-overrides-*",
"arn:aws:lambda:*:*:function:delete-name-tags-*"
]
},
{
"Sid": "LogGroupsDescribe",
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups"
],
"Resource": "*"
},
{
"Sid": "LogGroupsManage",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:TagResource",
"logs:PutRetentionPolicy",
"logs:DeleteLogGroup",
"logs:ListTagsForResource",
"logs:UntagResource"
],
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": [
"cloudformation.amazonaws.com"
]
}
},
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/lambda/baseline-overrides-*",
"arn:aws:logs:*:*:log-group:/aws/lambda/delete-name-tags-*"
]
},
{
"Sid": "QSDocsManage",
"Effect": "Allow",
"Action": [
"ssm:CreateDocument",
"ssm:UpdateDocument",
"ssm:DescribeDocument",
"ssm:UpdateDocumentDefaultVersion",
"ssm:DeleteDocument",
"ssm:AddTagsToResource",
"ssm:RemoveTagsFromResource",
"ssm:ListTagsForResource"
],
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": [
"cloudformation.amazonaws.com"
]
}
},
"Resource": [
"arn:aws:ssm:*:*:document/AWSQuickSetup-*",
"arn:aws:ssm:*:*:document/QuickSetup-*"
]
},
{
"Sid": "QSDocsGet",
"Effect": "Allow",
"Action": [
"ssm:GetDocument"
],
"Resource": [
"arn:aws:ssm:*:*:document/AWSQuickSetup-*",
"arn:aws:ssm:*:*:document/QuickSetup-*",
"arn:aws:ssm:*::document/AWS-EnableExplorer",
"arn:aws:ssm:*::document/AWS-RunPatchBaseline"
]
},
{
"Sid": "QSAssociationsManage",
"Effect": "Allow",
"Action": [
"ssm:CreateAssociation",
"ssm:UpdateAssociation",
"ssm:DeleteAssociation",
"ssm:DescribeAssociation"
],
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": [
"cloudformation.amazonaws.com"
]
}
},
"Resource": [
"arn:aws:ssm:*:*:document/AWSQuickSetup-*",
"arn:aws:ssm:*:*:document/QuickSetup-*",
"arn:aws:ssm:*::document/AWS-EnableExplorer",
"arn:aws:ssm:*::document/AWS-RunPatchBaseline",
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ssm:*:*:managed-instance/*",
"arn:aws:ssm:*:*:association/*"
]
},
{
"Sid": "SSMSLRCreate",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/ssm.amazonaws.com/AWSServiceRoleForAmazonSSM"
],
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "ssm.amazonaws.com"
}
}
},
{
"Sid": "ConfigRoleManage",
"Effect": "Allow",
"Action": [
"iam:TagRole",
"iam:UntagRole",
"iam:GetRole",
"iam:UpdateRole",
"iam:DeleteRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoleTags"
],
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": [
"cloudformation.amazonaws.com"
]
}
},
"Resource": [
"arn:aws:iam::*:role/AWS-QuickSetup-*"
]
},
{
"Sid": "ConfigRolePassToSSM",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/AWS-QuickSetup-*"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"ssm.amazonaws.com"
]
}
}
},
{
"Sid": "ConfigRolePassToLambda",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/AWS-QuickSetup-*"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"lambda.amazonaws.com"
]
}
}
},
{
"Sid": "DocDescribe",
"Effect": "Allow",
"Action": [
"ssm:DescribeDocument"
],
"Resource": "*"
},
{
"Sid": "LegacyDocClean",
"Effect": "Allow",
"Action": [
"ssm:DeleteDocument"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:ResourceTag/QuickSetupID": "*"
}
}
},
{
"Sid": "LegacyIAMClean",
"Effect": "Allow",
"Action": [
"iam:DeleteRole",
"iam:DeleteRolePolicy"
],
"Resource": "arn:aws:iam::*:role/*QuickSetup-*",
"Condition": {
"StringLike": {
"aws:ResourceTag/QuickSetupID": "*"
}
}
},
{
"Sid": "ConfigRoleBoundedManage",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePolicy",
"iam:PutRolePermissionsBoundary"
],
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": "arn:aws:iam::aws:policy/AWSQuickSetupPatchPolicyPermissionsBoundary"
},
"ForAnyValue:StringEquals": {
"aws:CalledVia": [
"cloudformation.amazonaws.com"
]
}
},
"Resource": [
"arn:aws:iam::*:role/AWS-QuickSetup-*"
]
}
]
}