Instance Profile

CloudFormation template: yaml

AWSTemplateFormatVersion: 2010-09-09
Description: >
  An IAM instance profile, which allows code running on an EC2 instance to
  assume an IAM role.

Parameters

Parameters:

Param	Value
DeploymentName	cfc

DeploymentName

  DeploymentName:
    Type: String
    Description: A name for this deployment

A deployment is a deployed application, potentially comprised of many CloudFormation stacks. This is sometimes called an "environment", but that is an overloaded and confusing term. Use the DeploymentName to indicate which logical deployment a stack belongs to.

If a deployment is completely specified by exactly one CloudFormation template, the DeploymentName and the AWS::StackName refer to the same things. In that case, consider not using a DeploymentName parameter.

Resources

Resources:

Role

  InstanceRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "${DeploymentName}-InstanceRole"
      Description: Allows EC2 instances to call AWS services
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
            Action:
              - sts:AssumeRole
      ManagedPolicyArns:
        - !Ref InstancePolicy

Policy

  InstancePolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: Allow logging to CloudWatch
      ManagedPolicyName: !Sub "${DeploymentName}-InstancePolicy"
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - logs:CreateLogGroup
              - logs:CreateLogStream
              - logs:PutLogEvents
              - logs:DescribeLogStreams
            Resource: "*"

Instance Profile

  InstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      InstanceProfileName: !Sub "${DeploymentName}-InstanceProfile"
      Roles:
        - !Ref InstanceRole