76 lines
2.9 KiB
YAML
76 lines
2.9 KiB
YAML
AWSTemplateFormatVersion: '2010-09-09'
|
|
Description: CloudFormation Write-Only Managed Policy for Deployment Operations
|
|
|
|
Resources:
|
|
CloudFormationWritePolicy:
|
|
Type: AWS::IAM::ManagedPolicy
|
|
Properties:
|
|
ManagedPolicyName: CloudFormationWrite
|
|
Description: Minimal CloudFormation write permissions for deployment operations. Intended for use via AssumeRole, not attached to Permission Sets.
|
|
PolicyDocument:
|
|
Version: '2012-10-17'
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- cloudformation:CreateStack
|
|
- cloudformation:UpdateStack
|
|
- cloudformation:DeleteStack
|
|
- cloudformation:CreateUploadBucket
|
|
- cloudformation:CreateChangeSet
|
|
- cloudformation:ExecuteChangeSet
|
|
- cloudformation:DescribeStacks
|
|
- cloudformation:DescribeStackEvents
|
|
- cloudformation:DescribeChangeSet
|
|
- cloudformation:ListStacks
|
|
- cloudformation:ListChangeSets
|
|
- cloudformation:DetectStackDrift
|
|
- cloudformation:DetectStackResourceDrift
|
|
- cloudformation:DescribeStackDriftDetectionStatus
|
|
- cloudformation:ImportStacksToStackSet
|
|
- cloudformation:ContinueUpdateRollback
|
|
Resource: "*"
|
|
- Sid: ResourceScanningOperations
|
|
Effect: Allow
|
|
Action:
|
|
- cloudformation:DescribeResourceScan
|
|
- cloudformation:GetResource
|
|
- cloudformation:ListResources
|
|
- cloudformation:ListResourceScanRelatedResources
|
|
- cloudformation:ListResourceScanResources
|
|
- cloudformation:ListResourceScans
|
|
- cloudformation:ListTypes
|
|
- cloudformation:StartResourceScan
|
|
Resource: "*"
|
|
- Sid: TemplateGeneration
|
|
Effect: Allow
|
|
Action:
|
|
- cloudformation:CreateGeneratedTemplate
|
|
- cloudformation:DeleteGeneratedTemplate
|
|
- cloudformation:DescribeGeneratedTemplate
|
|
- cloudformation:GetResource
|
|
- cloudformation:GetGeneratedTemplate
|
|
- cloudformation:ListGeneratedTemplates
|
|
- cloudformation:UpdateGeneratedTemplate
|
|
Resource: "*"
|
|
|
|
- Effect: Allow
|
|
Action:
|
|
- tag:TagResources
|
|
- tag:UntagResources
|
|
Resource: "*"
|
|
|
|
- Effect: Allow
|
|
Action:
|
|
- s3:PutObject
|
|
Resource: "*"
|
|
- Effect: Allow
|
|
Action:
|
|
- cloudfront:CreateFunction
|
|
- cloudfront:UpdateFunction
|
|
- cloudfront:PublishFunction
|
|
- cloudfront:DescribeFunction
|
|
- cloudfront:GetFunction
|
|
- cloudfront:DeleteFunction
|
|
- cloudfront:ListFunctions
|
|
- cloudfront:CreateInvalidation
|
|
Resource: "*"
|