{ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "ExternalId" } }, "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::${AccountId}:root" }, "Sid": "" } ], "Version": "2012-10-17" }, "Path": "/", "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/ReadOnlyAccess", "arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess", "arn:aws:iam::aws:policy/AWSBudgetsReadOnlyAccess", "arn:aws:iam::aws:policy/AWSBillingReadOnlyAccess", "arn:aws:iam::aws:policy/AWSBillingConductorReadOnlyAccess", "arn:aws:iam::aws:policy/AWSSavingsPlansReadOnlyAccess", "arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess", "arn:aws:iam::aws:policy/AWSCloudTrail_ReadOnlyAccess", "arn:aws:iam::aws:policy/AmazonMemoryDBReadOnlyAccess" ], "Policies": [ { "PolicyName": "AimablyPolicyClusterAndInstanceControl", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:StopInstances", "rds:StopDBInstance", "rds:StartDBInstance", "rds:StopDBCluster", "rds:StartDBCluster", "redshift:PauseCluster", "redshift:ResumeCluster" ], "Resource": "*" } ] } }, { "PolicyName": "AimablyPolicy", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "pricing:Get*", "pricing:List*", "pricing:Describe*", "iam:CreateServiceLinkedRole", "compute-optimizer:UpdateEnrollmentStatus", "cur:Describe*", "cur:List*", "apigateway:Get*" ], "Resource": "*" } ] } }, { "PolicyName": "AimablyPolicyS3", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowSpecificPatterns", "Effect": "Allow", "Action": [ "s3:GetObject*", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::com.cloudycosts.cloudformation", "arn:aws:s3:::com.cloudycosts.cloudformation/*", "arn:aws:s3:::*aimably*", "arn:aws:s3:::*aimably*/*", "arn:aws:s3:::*cur*", "arn:aws:s3:::*cur*/*" ] }, { "Sid": "DenyGetObjectExceptPatterns", "Effect": "Deny", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "NotResource": [ "arn:aws:s3:::com.cloudycosts.cloudformation/*", "arn:aws:s3:::*aimably*/*", "arn:aws:s3:::*cur*/*" ] } ] } }, { "PolicyName": "AimablyPolicyLogsDeny", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "logs:StartLiveTail", "logs:StartQuery", "logs:StopLiveTail", "logs:StopQuery" ], "Resource": "*" } ] } }, { "PolicyName": "AimablyPolicyCloudFormation", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:Describe*", "cloudformation:Detect*", "cloudformation:Estimate*", "cloudformation:Get*", "cloudformation:List*" ], "Resource": "*" } ] } }, { "PolicyName": "AimablyPolicyCloudTrail", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudtrail:Describe*", "cloudtrail:Get*", "cloudtrail:Generate*", "cloudtrail:Search*", "cloudtrail:Start*", "cloudtrail:List*", "cloudtrail:LookupEvents" ], "Resource": "*" } ] } }, { "PolicyName": "AimablyPolicyCostExplorer", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ce:Describe*", "ce:Get*", "ce:List*" ], "Resource": "*" } ] } }, { "PolicyName": "AimablyPolicyIAM", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:Generate*", "iam:Get*", "iam:List*", "iam:Simulate*" ], "Resource": "*" } ] } }, { "PolicyName": "AimablyPolicySavingsPlans", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "savingsplans:Describe*", "savingsplans:List*", "savingsplans:Return*" ], "Resource": "*" } ] } } ] } }