in security/generic_security.py [0:0]
def create_instance_role(self, name: str) -> _iam.Role:
"""create instance role"""
functional_role_name = name + "FunctionalRole" + self.region
instance_role = _iam.Role(self, functional_role_name,
role_name=functional_role_name,
assumed_by=_iam.ServicePrincipal('ec2.amazonaws.com')
)
instance_role.add_managed_policy(
_iam.ManagedPolicy.from_aws_managed_policy_name("AmazonSSMManagedInstanceCore"))
inst_policy_name = name + "InstanceProfilePolicy" + self.region
inst_policy = \
_iam.Policy(
self, inst_policy_name,
policy_name=inst_policy_name,
statements=[
_iam.PolicyStatement(
effect=_iam.Effect.ALLOW,
sid="SSMPermissionsPolicyForSSMandCWAgent",
actions=[
"s3:GetObject"
],
resources=[
"arn:aws:s3:::" + self.node.try_get_context("qs_s3_bucket") +
"-" + self.region + "/*",
"arn:aws:s3:::amazoncloudwatch-agent-" + self.region + "/*",
"arn:aws:s3:::aws-ssm-" + self.region + "/*",
"arn:aws:s3:::aws-windows-downloads-" + self.region + "/*",
"arn:aws:s3:::amazon-ssm-" + self.region + "/*",
"arn:aws:s3:::amazon-ssm-packages-" + self.region + "/*",
"arn:aws:s3:::" + self.region + "-birdwatcher-prod/*",
"arn:aws:s3:::aws-ssm-distributor-file-" + self.region + "/*",
"arn:aws:s3:::patch-baseline-snapshot-" + self.region + "/*"
]),
_iam.PolicyStatement(
effect=_iam.Effect.ALLOW,
sid="CWAgentPermissions",
actions=[
"cloudwatch:PutMetricData",
"ec2:DescribeVolumes",
"ec2:DescribeTags",
"logs:PutLogEvents",
"logs:DescribeLogStreams",
"logs:DescribeLogGroups",
"logs:CreateLogStream",
"logs:CreateLogGroup"
],
resources=[
"*"
]),
_iam.PolicyStatement(
effect=_iam.Effect.ALLOW,
sid="SSMParameterStorePermissions",
actions=[
"ssm:GetParameter"
],
resources=[
"arn:aws:ssm:*:*:parameter/AmazonCloudWatch-*"
])
]
)
inst_policy.attach_to_role(instance_role)
self._instance_role[name] = instance_role
return instance_role