fdn-iam-RemoteReadRole.yaml
---

User Roles CloudFormation Deployment

This CloudFormation template will deploy an IAM role to facilitate cross-account reporting and data gathering.

AWSTemplateFormatVersion: '2010-09-09' Description: 'UITS Account Foundation: IAM Remote Read Role'

Parameters

These are the input parameters for this template. All of these parameters must be supplied for this template to be deployed.

Parameters: CentralMonitoringAccountNumber: Description: The AWS Account Number of the Central Monitoring Account. Type: String Resources: RemoteReadRole: Type: AWS::IAM::Role Properties: RoleName: fdn-iam-RemoteReadRole ManagedPolicyArns: - arn:aws:iam::aws:policy/job-function/ViewOnlyAccess AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: AWS: !Sub "arn:aws:iam::${CentralMonitoringAccountNumber}:root" Action: - sts:AssumeRole RemoteReadPolicy: Type: AWS::IAM::ManagedPolicy Properties: PolicyDocument: Version: '2012-10-17' Statement: - Action: - ssm:DescribeParameters Effect: Allow Resource: "*" - Action: - ssm:GetParametersByPath - ssm:GetParameters - ssm:GetParameter Effect: Allow Resource: "arn:aws:ssm:*:*:parameter/fdn*" Roles: - Ref: RemoteReadRole