AWSTemplateFormatVersion: 2010-09-09 Parameters: DomainJoinAutomationEC2Role: Type: String Description: Role Name for EC2 Domain Join Automation that will be created using this template Default: EC2DomainJoinAutomation Resources: DomainJoinAutomationRole: Type: 'AWS::IAM::Role' Properties: RoleName: !Ref DomainJoinAutomationEC2Role AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: - ec2.amazonaws.com Version: "2012-10-17" ManagedPolicyArns: - !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore Path: / Policies: - PolicyName: ssm-param-kms-policy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 'kms:Decrypt' Resource: - !ImportValue AD-Creds-KMS-Key-Arn - Effect: Allow Action: - 'ssm:GetParameter*' Resource: - !ImportValue AD-Username-SSM-Param-Arn - !ImportValue AD-Password-SSM-Param-Arn InstanceProfile: Type: AWS::IAM::InstanceProfile Properties: InstanceProfileName: !Ref DomainJoinAutomationEC2Role Path: / Roles: - Ref: DomainJoinAutomationRole