-
Notifications
You must be signed in to change notification settings - Fork 85
/
CloudWatchAutoAlarms-ManagementAccountRole.yaml
50 lines (46 loc) · 1.76 KB
/
CloudWatchAutoAlarms-ManagementAccountRole.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
AWSTemplateFormatVersion: '2010-09-09'
Description: IAM Role for assuming management account role to get active accounts by organizational unit.
Parameters:
CloudWatchAutoAlarmsAccountId:
Description: The AWS Account ID where the CloudWatchAutoAlarms AWS Lambda function is deployed.
Type: String
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: "CloudWatchAutoAlarms Configuration"
Parameters:
- CloudWatchAutoAlarmsAccountId
ParameterLabels:
CloudWatchAutoAlarmsAccountId:
default: "CloudWatchAutoAlarms Account ID"
Resources:
CloudWatchAutoAlarmManagementAccountRole:
Type: AWS::IAM::Role
Properties:
RoleName: CloudWatchAutoAlarmManagementAccountRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS:
- !Sub "arn:${AWS::Partition}:iam::${CloudWatchAutoAlarmsAccountId}:role/CloudWatchAutoAlarmsRole"
- !Sub "arn:${AWS::Partition}:sts::${CloudWatchAutoAlarmsAccountId}:assumed-role/CloudWatchAutoAlarmsRole/CloudWatchAutoAlarms"
Action: sts:AssumeRole
Policies:
- PolicyName: OrganizationsAccessPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- organizations:ListAccountsForParent
- organizations:ListAccounts
Resource: '*'
Outputs:
CloudWatchAutoAlarmManagementAccountRoleArn:
Description: ARN of the IAM Role for CloudWatch Auto Alarms.
Value: !GetAtt CloudWatchAutoAlarmManagementAccountRole.Arn
Export:
Name: CloudWatchAutoAlarmManagementAccountRoleArn