Description: "ServiceCatalog Serverless Launch Role. (fdp-1p5s1035k)" Resources: SCServerlessLaunchRole: Type: 'AWS::IAM::Role' Properties: RoleName: SCServerlessLaunchRole AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - servicecatalog.amazonaws.com Action: - 'sts:AssumeRole' Path: / Policies: - PolicyName: SCLaunchPolicy PolicyDocument: Version: 2012-10-17 Statement: - Sid: SCLaunchPolicySID Action: - "apigateway:*" - "cloudformation:CancelUpdateStack" - "cloudformation:ContinueUpdateRollback" - "cloudformation:CreateChangeSet" - "cloudformation:CreateStack" - "cloudformation:CreateUploadBucket" - "cloudformation:DeleteStack" - "cloudformation:Describe*" - "cloudformation:EstimateTemplateCost" - "cloudformation:ExecuteChangeSet" - "cloudformation:Get*" - "cloudformation:List*" - "cloudformation:PreviewStackUpdate" - "cloudformation:UpdateStack" - "cloudformation:UpdateTerminationProtection" - "cloudformation:ValidateTemplate" - "dynamodb:CreateTable" - "dynamodb:DeleteTable" - "dynamodb:DescribeTable" - "ec2:AttachInternetGateway" - "ec2:AuthorizeSecurityGroupIngress" - "ec2:CreateInternetGateway" - "ec2:CreateNetworkAcl" - "ec2:CreateNetworkAclEntry" - "ec2:CreateRouteTable" - "ec2:CreateSecurityGroup" - "ec2:CreateSubnet" - "ec2:CreateTags" - "ec2:CreateVpc" - "ec2:DeleteInternetGateway" - "ec2:DeleteNetworkAcl" - "ec2:DeleteNetworkAclEntry" - "ec2:DeleteRouteTable" - "ec2:DeleteSecurityGroup" - "ec2:DeleteSubnet" - "ec2:DeleteVpc" - "ec2:Describe*" - "ec2:DetachInternetGateway" - "ec2:ModifyVpcAttribute" - "events:DeleteRule" - "events:DescribeRule" - "events:ListRuleNamesByTarget" - "events:ListRules" - "events:ListTargetsByRule" - "events:PutRule" - "events:PutTargets" - "events:RemoveTargets" - "iam:CreateRole" - "iam:DeleteRole" - "iam:DeleteRolePolicy" - "iam:GetRole" - "iam:PassRole" - "iam:PutRolePolicy" - "iot:CreateTopicRule" - "iot:DeleteTopicRule" - "iot:DisableTopicRule" - "iot:EnableTopicRule" - "iot:ReplaceTopicRule" - "kinesis:CreateStream" - "kinesis:DeleteStream" - "kinesis:DescribeStream" - "lambda:*" - "logs:CreateLogGroup" - "logs:DeleteLogGroup" - "logs:DescribeLogGroups" - "logs:DescribeLogStreams" - "logs:FilterLogEvents" - "logs:GetLogEvents" - "s3:CreateBucket" - "s3:DeleteBucket" - "s3:DeleteBucketPolicy" - "s3:DeleteObject" - "s3:DeleteObjectVersion" - "s3:GetObject" - "s3:GetObjectVersion" - "s3:ListAllMyBuckets" - "s3:ListBucket" - "s3:PutBucketNotification" - "s3:PutBucketPolicy" - "s3:PutBucketTagging" - "s3:PutBucketWebsite" - "s3:PutEncryptionConfiguration" - "s3:PutObject" - "sns:CreateTopic" - "sns:DeleteTopic" - "sns:GetSubscriptionAttributes" - "sns:GetTopicAttributes" - "sns:ListSubscriptions" - "sns:ListSubscriptionsByTopic" - "sns:ListTopics" - "sns:SetSubscriptionAttributes" - "sns:SetTopicAttributes" - "sns:Subscribe" - "sns:Unsubscribe" - "states:CreateStateMachine" - "states:DeleteStateMachine" Resource: '*' Effect: "Allow" Outputs: LaunchRoleArn: Value: !GetAtt SCServerlessLaunchRole.Arn LaunchRoleName: Value: !Ref SCServerlessLaunchRole