AWSTemplateFormatVersion: '2010-09-09'
Description: AWS CloudFormation template to create IAM roles. (qs-1nlkhq1oj)
Resources:
CopyLambdaDeploymentRole:
Properties:
AssumeRolePolicyDocument:
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Version: '2012-10-17'
Policies:
- PolicyDocument:
Statement:
- Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Effect: Allow
Resource: !Sub 'arn:${AWS::Partition}:logs:*:*:*'
Version: '2012-10-17'
PolicyName: LambdaLogging
- PolicyDocument:
Statement:
- Action:
- s3:PutObject
- s3:DeleteObject
Effect: Allow
Resource:
- !Join
- ''
- - !Ref 'RegionalLambdaBucketARN'
- /*
Version: '2012-10-17'
PolicyName: PutDeleteRegionalLambdaBucket
- PolicyDocument:
Statement:
- Action:
- s3:ListBucket
- s3:GetObject
Effect: Allow
Resource: "*"
Version: '2012-10-17'
PolicyName: ListGetQSSBucket
Type: AWS::IAM::Role
Metadata:
cfn-lint:
config:
ignore_checks:
- EIAMPolicyWildcardResource
ignore_reasons:
- EIAMPolicyWildcardResource: "Scope is limited to least privilege"
ElasticSearchLambdaIAMPolicy:
Properties:
PolicyDocument:
Statement:
- Action:
- es:DescribeElasticsearchDomain
- es:DescribeElasticsearchDomains
- es:DescribeElasticsearchDomainConfig
- es:ESHttpPost
- es:ESHttpPut
- es:ESHttpGet
Effect: Allow
Resource: !Join
- ''
- - 'arn:aws:es:'
- !Ref 'AWS::Region'
- ':'
- !Ref 'AWS::AccountId'
- :domain/
- datalake-quickstart
- '*'
Version: '2012-10-17'
PolicyName: ElasticsearchLambdaPolicy
Roles:
- !Ref 'RegisterKibanaDashboardRole'
- !Ref 'LambdaRole'
Type: AWS::IAM::Policy
KinesisStreamBucketRole:
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Condition:
StringEquals:
sts:ExternalId: !Ref 'AWS::AccountId'
Effect: Allow
Principal:
Service: firehose.amazonaws.com
Version: '2012-10-17'
Policies:
- PolicyDocument:
Statement:
- Action:
- s3:AbortMultipartUpload
- s3:GetBucketLocation
- s3:GetObject
- s3:ListBucket
- s3:ListBucketMultipartUploads
- s3:PutObject
Effect: Allow
Resource: !Join
- ''
- - !Ref 'SubmissionsBucketARN'
- '*'
Version: '2012-10-17'
PolicyName: KinesisBucketAccess
Type: AWS::IAM::Role
LambdaRole:
Properties:
AssumeRolePolicyDocument:
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Version: '2012-10-17'
Policies:
- PolicyDocument:
Statement:
- Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Effect: Allow
Resource: !Sub 'arn:${AWS::Partition}:logs:*:*:*'
Version: '2012-10-17'
PolicyName: LambdaLogging
- PolicyDocument:
Statement:
- Action:
- s3:GetObject
Effect: Allow
Resource:
- !Join
- ''
- - !Ref 'SubmissionsBucketARN'
- /*
- !Join
- ''
- - !Ref 'CuratedDatasetsARN'
- /*
- !Join
- ''
- - !Ref 'PublishedDataARN'
- /*
Version: '2012-10-17'
PolicyName: GetObjectsDatalake
Type: AWS::IAM::Role
QSRedshiftRole:
Condition: CreateRedshiftRole
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: redshift.amazonaws.com
Version: '2012-10-17'
ManagedPolicyArns:
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/AWSGlueConsoleFullAccess'
Path: /
Policies:
- PolicyDocument:
Statement:
- Action:
- s3:PutObject
- s3:GetObject
- s3:ListBucket
- s3:GetBucketLocation
Effect: Allow
Resource:
- !Join
- ''
- - !Ref 'CuratedDatasetsARN'
- '*'
- !Join
- ''
- - !Ref 'PublishedDataARN'
- '*'
Version: '2012-10-17'
PolicyName: S3Access
Type: AWS::IAM::Role
RegisterKibanaDashboardRole:
Properties:
AssumeRolePolicyDocument:
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Version: '2012-10-17'
Policies:
- PolicyDocument:
Statement:
- Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Effect: Allow
Resource: !Sub 'arn:${AWS::Partition}:logs:*:*:*'
Version: '2012-10-17'
PolicyName: LambdaLogging
- PolicyDocument:
Statement:
- Action:
- s3:GetObject
Effect: Allow
Resource:
- !Sub arn:${AWS::Partition}:s3:::aws-quickstart*/*
- !Sub
- arn:${AWS::Partition}:s3:::${S3Bucket}/*
- S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
Version: '2012-10-17'
PolicyName: GetQSS3Bucket
Type: AWS::IAM::Role
Metadata:
cfn-lint:
config:
ignore_checks:
- EIAMPolicyWildcardResource
ignore_reasons:
- EIAMPolicyWildcardResource: "Scope is limited to least privilege"
SageMakerExecutionRole:
Type: AWS::IAM::Role
Metadata:
cfn-lint:
config:
ignore_checks:
- EIAMPolicyWildcardResource
- EIAMPolicyActionWildcard
ignore_reasons:
- EIAMPolicyWildcardResource: "Scope is limited to least privilege"
- EIAMPolicyActionWildcard: "Scope is limited to appropriate resource"
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- sagemaker.amazonaws.com
Action:
- sts:AssumeRole
ManagedPolicyArns:
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonSageMakerFullAccess'
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/CloudWatchLogsFullAccess'
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonS3ReadOnlyAccess'
Path: /service-role/
Policies:
- PolicyName: CuratedBucketS3BucketAccess
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:*
Resource:
- !Sub '${CuratedDatasetsARN}*'
- PolicyName: SageMakerS3Access
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: 'VisualEditor0'
Effect: Allow
Action: s3:ListBucket
Resource: !Sub 'arn:${AWS::Partition}:s3:::SageMaker'
- Sid: 'VisualEditor1'
Effect: Allow
Action:
- s3:GetLifecycleConfiguration
- s3:ListBucketByTags
- s3:GetBucketTagging
- s3:GetInventoryConfiguration
- s3:GetObjectVersionTagging
- s3:GetBucketLogging
- s3:ListBucketVersions
- s3:GetAccelerateConfiguration
- s3:ListBucket
- s3:GetBucketPolicy
- s3:GetEncryptionConfiguration
- s3:GetObjectAcl
- s3:GetObjectVersionTorrent
- s3:GetBucketRequestPayment
- s3:GetObjectVersionAcl
- s3:GetObjectTagging
- s3:GetMetricsConfiguration
- s3:GetIpConfiguration
- s3:ListBucketMultipartUploads
- s3:GetBucketWebsite
- s3:GetBucketVersioning
- s3:GetBucketAcl
- s3:GetBucketNotification
- s3:GetReplicationConfiguration
- s3:ListMultipartUploadParts
- s3:GetObject
- s3:GetObjectTorrent
- s3:GetBucketCORS
- s3:GetAnalyticsConfiguration
- s3:GetObjectVersionForReplication
- s3:GetBucketLocation
- s3:GetObjectVersio
Resource: !Sub 'arn:${AWS::Partition}:s3:::SageMaker/*'
- Sid: 'VisualEditor2'
Effect: Allow
Action:
- s3:ListAllMyBuckets
- s3:HeadBucket
Resource: '*'
CreateNotebookFunctionExecuteRole:
Type: AWS::IAM::Role
Metadata:
cfn-lint:
config:
ignore_checks:
- EIAMPolicyActionWildcard
ignore_reasons:
- EIAMPolicyActionWildcard: "Scope limited by resource"
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Path: /
Policies:
- PolicyName: CreateNotebookFunctionPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: !Sub 'arn:${AWS::Partition}:logs:*:*:*'
- Effect: Allow
Action:
- sagemaker:*
Resource: '*'
- Effect: Allow
Action:
- iam:PassRole
Resource: !GetAtt 'SageMakerExecutionRole.Arn'
- Effect: Allow
Action:
- ec2:*
Resource: '*'
- Effect: Allow
Action:
- s3:*
Resource:
- !Sub 'arn:${AWS::Partition}:s3:::${QSS3BucketName}*'
Conditions:
CreateRedshiftRole: !Equals
- !Ref 'EnableRedshift'
- 'yes'
UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart']
Parameters:
EnableRedshift:
AllowedValues:
- 'yes'
- 'no'
Default: 'no'
Description: Enable Redshift
Type: String
CuratedDatasetsARN:
Description: CuratedDatasets bucket ARN
Type: String
PublishedDataARN:
Description: PublishedData bucket ARN
Type: String
QSS3BucketName:
Description: Quick Start S3 bucket name
Type: String
QSS3BucketRegion:
Description: Quick Start S3 bucket region
Type: String
RegionalLambdaBucketARN:
Description: RegionalLambdaBucket bucket ARN
Type: String
SubmissionsBucketARN:
Description: SubmissionsBucket bucket ARN
Type: String
Outputs:
LambdaRoleARN:
Description: ARN of LambdaRole
Value: !GetAtt 'LambdaRole.Arn'
CopyLambdaDeploymentRoleARN:
Description: ARN of CopyLambdaDeploymentRole
Value: !GetAtt 'CopyLambdaDeploymentRole.Arn'
QSRedshiftRoleARN:
Description: ARN of QSRedshiftRole
Condition: CreateRedshiftRole
Value: !GetAtt 'QSRedshiftRole.Arn'
RegisterKibanaDashboardRoleARN:
Description: ARN of RegisterKibanaDashboardRole
Value: !GetAtt 'RegisterKibanaDashboardRole.Arn'
KinesisStreamBucketRoleARN:
Description: ARN of KinesisStreamBucketRole
Value: !GetAtt 'KinesisStreamBucketRole.Arn'
SageMakerExecutionRoleARN:
Description: Sage Maker Execution Role ARN
Value: !GetAtt 'SageMakerExecutionRole.Arn'
CreateNotebookFunctionExecuteRoleARN:
Description: Sage Maker Execution Role ARN
Value: !GetAtt 'CreateNotebookFunctionExecuteRole.Arn'