kfs_cloudwatchlogs_role.yaml
---

User Roles CloudFormation Deployment

This CloudFormation template will deploy IAM roles for use by Users of this account.

AWSTemplateFormatVersion: '2010-09-09' Description: 'Kuali CloudWatch Logs Read Only IAM Role' Resources:

CloudWatch Logs Role

The Read-Only Admin role/policy allows broad read access to most services.

CloudWatchLogsGroup: Type: AWS::IAM::Group Properties: Path: "/" CloudWatchLogsRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole - Effect: Allow Principal: Federated: !Sub "arn:aws:iam::${AWS::AccountId}:saml-provider/UA_Shibboleth_IdP" Action: sts:AssumeRoleWithSAML Condition: StringEquals: SAML:aud: https://signin.aws.amazon.com/saml CloudWatchLogsRoleProfile: Type: AWS::IAM::InstanceProfile DependsOn: CloudWatchLogsRole Properties: Path: "/" Roles: - Ref: CloudWatchLogsRole

Read-Only Admin Policy

CloudWatchLogsPolicy: Type: AWS::IAM::ManagedPolicy DependsOn: CloudWatchLogsRoleProfile Properties: PolicyDocument: Version: '2012-10-17' Statement: - Action: - logs:DescribeLogGroups Effect: Allow Resource: "*" - Action: - logs:Describe* - logs:FilterLogEvents - logs:GetLogEvents Effect: Allow Resource: !Sub "arn:aws:logs:*:${AWS::AccountId}:log-group:kf*" Roles: - Ref: CloudWatchLogsRole Groups: - Ref: CloudWatchLogsGroup

Outputs

Outputs: CloudWatchLogsRole: Value: !Ref CloudWatchLogsRole CloudWatchLogsRoleARN: Value: !GetAtt CloudWatchLogsRole.Arn