AWSTemplateFormatVersion: '2010-09-09' Description: AWS CloudFormation template to create IAM roles. (qs-1nlkhq1oj) Resources: CopyLambdaDeploymentRole: Properties: AssumeRolePolicyDocument: Statement: - Action: - sts:AssumeRole Effect: Allow Principal: Service: - lambda.amazonaws.com Version: '2012-10-17' Policies: - PolicyDocument: Statement: - Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Effect: Allow Resource: !Sub 'arn:${AWS::Partition}:logs:*:*:*' Version: '2012-10-17' PolicyName: LambdaLogging - PolicyDocument: Statement: - Action: - s3:PutObject - s3:DeleteObject Effect: Allow Resource: - !Join - '' - - !Ref 'RegionalLambdaBucketARN' - /* Version: '2012-10-17' PolicyName: PutDeleteRegionalLambdaBucket - PolicyDocument: Statement: - Action: - s3:ListBucket - s3:GetObject Effect: Allow Resource: "*" Version: '2012-10-17' PolicyName: ListGetQSSBucket Type: AWS::IAM::Role Metadata: cfn-lint: config: ignore_checks: - EIAMPolicyWildcardResource ignore_reasons: - EIAMPolicyWildcardResource: "Scope is limited to least privilege" ElasticSearchLambdaIAMPolicy: Properties: PolicyDocument: Statement: - Action: - es:DescribeElasticsearchDomain - es:DescribeElasticsearchDomains - es:DescribeElasticsearchDomainConfig - es:ESHttpPost - es:ESHttpPut - es:ESHttpGet Effect: Allow Resource: !Join - '' - - 'arn:aws:es:' - !Ref 'AWS::Region' - ':' - !Ref 'AWS::AccountId' - :domain/ - datalake-quickstart - '*' Version: '2012-10-17' PolicyName: ElasticsearchLambdaPolicy Roles: - !Ref 'RegisterKibanaDashboardRole' - !Ref 'LambdaRole' Type: AWS::IAM::Policy KinesisStreamBucketRole: Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Condition: StringEquals: sts:ExternalId: !Ref 'AWS::AccountId' Effect: Allow Principal: Service: firehose.amazonaws.com Version: '2012-10-17' Policies: - PolicyDocument: Statement: - Action: - s3:AbortMultipartUpload - s3:GetBucketLocation - s3:GetObject - s3:ListBucket - s3:ListBucketMultipartUploads - s3:PutObject Effect: Allow Resource: !Join - '' - - !Ref 'SubmissionsBucketARN' - '*' Version: '2012-10-17' PolicyName: KinesisBucketAccess Type: AWS::IAM::Role LambdaRole: Properties: AssumeRolePolicyDocument: Statement: - Action: - sts:AssumeRole Effect: Allow Principal: Service: - lambda.amazonaws.com Version: '2012-10-17' Policies: - PolicyDocument: Statement: - Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Effect: Allow Resource: !Sub 'arn:${AWS::Partition}:logs:*:*:*' Version: '2012-10-17' PolicyName: LambdaLogging - PolicyDocument: Statement: - Action: - s3:GetObject Effect: Allow Resource: - !Join - '' - - !Ref 'SubmissionsBucketARN' - /* - !Join - '' - - !Ref 'CuratedDatasetsARN' - /* - !Join - '' - - !Ref 'PublishedDataARN' - /* Version: '2012-10-17' PolicyName: GetObjectsDatalake Type: AWS::IAM::Role QSRedshiftRole: Condition: CreateRedshiftRole Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: redshift.amazonaws.com Version: '2012-10-17' ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AWSGlueConsoleFullAccess' Path: / Policies: - PolicyDocument: Statement: - Action: - s3:PutObject - s3:GetObject - s3:ListBucket - s3:GetBucketLocation Effect: Allow Resource: - !Join - '' - - !Ref 'CuratedDatasetsARN' - '*' - !Join - '' - - !Ref 'PublishedDataARN' - '*' Version: '2012-10-17' PolicyName: S3Access Type: AWS::IAM::Role RegisterKibanaDashboardRole: Properties: AssumeRolePolicyDocument: Statement: - Action: - sts:AssumeRole Effect: Allow Principal: Service: - lambda.amazonaws.com Version: '2012-10-17' Policies: - PolicyDocument: Statement: - Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Effect: Allow Resource: !Sub 'arn:${AWS::Partition}:logs:*:*:*' Version: '2012-10-17' PolicyName: LambdaLogging - PolicyDocument: Statement: - Action: - s3:GetObject Effect: Allow Resource: - !Sub arn:${AWS::Partition}:s3:::aws-quickstart*/* - !Sub - arn:${AWS::Partition}:s3:::${S3Bucket}/* - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Version: '2012-10-17' PolicyName: GetQSS3Bucket Type: AWS::IAM::Role Metadata: cfn-lint: config: ignore_checks: - EIAMPolicyWildcardResource ignore_reasons: - EIAMPolicyWildcardResource: "Scope is limited to least privilege" SageMakerExecutionRole: Type: AWS::IAM::Role Metadata: cfn-lint: config: ignore_checks: - EIAMPolicyWildcardResource - EIAMPolicyActionWildcard ignore_reasons: - EIAMPolicyWildcardResource: "Scope is limited to least privilege" - EIAMPolicyActionWildcard: "Scope is limited to appropriate resource" Properties: AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: - sagemaker.amazonaws.com Action: - sts:AssumeRole ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonSageMakerFullAccess' - !Sub 'arn:${AWS::Partition}:iam::aws:policy/CloudWatchLogsFullAccess' - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonS3ReadOnlyAccess' Path: /service-role/ Policies: - PolicyName: CuratedBucketS3BucketAccess PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - s3:* Resource: - !Sub '${CuratedDatasetsARN}*' - PolicyName: SageMakerS3Access PolicyDocument: Version: '2012-10-17' Statement: - Sid: 'VisualEditor0' Effect: Allow Action: s3:ListBucket Resource: !Sub 'arn:${AWS::Partition}:s3:::SageMaker' - Sid: 'VisualEditor1' Effect: Allow Action: - s3:GetLifecycleConfiguration - s3:ListBucketByTags - s3:GetBucketTagging - s3:GetInventoryConfiguration - s3:GetObjectVersionTagging - s3:GetBucketLogging - s3:ListBucketVersions - s3:GetAccelerateConfiguration - s3:ListBucket - s3:GetBucketPolicy - s3:GetEncryptionConfiguration - s3:GetObjectAcl - s3:GetObjectVersionTorrent - s3:GetBucketRequestPayment - s3:GetObjectVersionAcl - s3:GetObjectTagging - s3:GetMetricsConfiguration - s3:GetIpConfiguration - s3:ListBucketMultipartUploads - s3:GetBucketWebsite - s3:GetBucketVersioning - s3:GetBucketAcl - s3:GetBucketNotification - s3:GetReplicationConfiguration - s3:ListMultipartUploadParts - s3:GetObject - s3:GetObjectTorrent - s3:GetBucketCORS - s3:GetAnalyticsConfiguration - s3:GetObjectVersionForReplication - s3:GetBucketLocation - s3:GetObjectVersio Resource: !Sub 'arn:${AWS::Partition}:s3:::SageMaker/*' - Sid: 'VisualEditor2' Effect: Allow Action: - s3:ListAllMyBuckets - s3:HeadBucket Resource: '*' CreateNotebookFunctionExecuteRole: Type: AWS::IAM::Role Metadata: cfn-lint: config: ignore_checks: - EIAMPolicyActionWildcard ignore_reasons: - EIAMPolicyActionWildcard: "Scope limited by resource" Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - sts:AssumeRole Path: / Policies: - PolicyName: CreateNotebookFunctionPolicy PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Resource: !Sub 'arn:${AWS::Partition}:logs:*:*:*' - Effect: Allow Action: - sagemaker:* Resource: '*' - Effect: Allow Action: - iam:PassRole Resource: !GetAtt 'SageMakerExecutionRole.Arn' - Effect: Allow Action: - ec2:* Resource: '*' - Effect: Allow Action: - s3:* Resource: - !Sub 'arn:${AWS::Partition}:s3:::${QSS3BucketName}*' Conditions: CreateRedshiftRole: !Equals - !Ref 'EnableRedshift' - 'yes' UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart'] Parameters: EnableRedshift: AllowedValues: - 'yes' - 'no' Default: 'no' Description: Enable Redshift Type: String CuratedDatasetsARN: Description: CuratedDatasets bucket ARN Type: String PublishedDataARN: Description: PublishedData bucket ARN Type: String QSS3BucketName: Description: Quick Start S3 bucket name Type: String QSS3BucketRegion: Description: Quick Start S3 bucket region Type: String RegionalLambdaBucketARN: Description: RegionalLambdaBucket bucket ARN Type: String SubmissionsBucketARN: Description: SubmissionsBucket bucket ARN Type: String Outputs: LambdaRoleARN: Description: ARN of LambdaRole Value: !GetAtt 'LambdaRole.Arn' CopyLambdaDeploymentRoleARN: Description: ARN of CopyLambdaDeploymentRole Value: !GetAtt 'CopyLambdaDeploymentRole.Arn' QSRedshiftRoleARN: Description: ARN of QSRedshiftRole Condition: CreateRedshiftRole Value: !GetAtt 'QSRedshiftRole.Arn' RegisterKibanaDashboardRoleARN: Description: ARN of RegisterKibanaDashboardRole Value: !GetAtt 'RegisterKibanaDashboardRole.Arn' KinesisStreamBucketRoleARN: Description: ARN of KinesisStreamBucketRole Value: !GetAtt 'KinesisStreamBucketRole.Arn' SageMakerExecutionRoleARN: Description: Sage Maker Execution Role ARN Value: !GetAtt 'SageMakerExecutionRole.Arn' CreateNotebookFunctionExecuteRoleARN: Description: Sage Maker Execution Role ARN Value: !GetAtt 'CreateNotebookFunctionExecuteRole.Arn'