--- AWSTemplateFormatVersion: "2010-09-09" Description: > ################################################################################### # # **WARNING** # This template creates IAM Role, IAM Policy, EBS Volume and related resources. # You will be billed for the AWS resources used if you create a stack from this template. # ################################################################################### Resources: SSMEBSOperationsAutomationsExecutionRole: Type: "AWS::IAM::Role" Properties: RoleName: SSMAutomationChangeManagerEBS AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "ssm.amazonaws.com" Action: - "sts:AssumeRole" Path: "/" ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole SSMEBSOperationsAutomationExecutionRolePolicies: Type: "AWS::IAM::Policy" Properties: PolicyName: "ChangManagerEBSVolume" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: [ "ec2:DeleteVolume", "iam:PassRole", "ec2:DescribeVolumeStatus", "ec2:DeleteSnapshot", "ec2:CreateSnapshots", "ec2:DescribeVolumes", "ec2:CreateSnapshot", "ssm:StartChangeRequestExecution", "iam:PassRole", "ec2:DescribeSnapshots" ] Resource: "*" Roles: - Ref: "SSMEBSOperationsAutomationsExecutionRole" SSMConfigEC2LabRole: Type: AWS::IAM::Role Properties: RoleName: WorkshopEC2SSMRole AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: ec2.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM SSMConfigEC2LabProfile: Type: AWS::IAM::InstanceProfile Properties: Roles: - !Ref "SSMConfigEC2LabRole" Path: / InstanceProfileName: WorkshopEC2SSMRole UnusedEBSVolume: Type: AWS::EC2::Volume Properties: Size: 10 VolumeType: gp3 AvailabilityZone: !Select - 0 - Fn::GetAZs: !Ref "AWS::Region"