Parameters: RoleName: Type: String Description: Name of the IAM role to create PolicyName: Type: String Description: Name of the IAM policy to create AccountId: Type: String Description: AWS AccountId to use for Trust Policy ExternalId: Type: String Description: ExternalId to use for Trust Policy AWSTemplateFormatVersion: 2010-09-09 Resources: LMPolicy: Type: 'AWS::IAM::ManagedPolicy' Properties: ManagedPolicyName: !Ref PolicyName PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 'apigateway:GET' - 'appstream:DescribeFleets' - 'appstream:ListTagsForResource' - 'athena:GetWorkGroup' - 'athena:List*' - 'autoscaling:Describe*' - 'backup:List*' - 'bedrock:Get*' - 'bedrock:List*' - 'ce:GetReservationCoverage' - 'cloudfront:Get*' - 'cloudfront:List*' - 'cloudsearch:DescribeDomains' - 'cloudsearch:ListDomainNames' - 'cloudwatch:Describe*' - 'cloudwatch:Get*' - 'cloudwatch:List*' - 'codebuild:BatchGetProjects' - 'codebuild:List*' - 'cognito-idp:Describe*' - 'cognito-idp:List*' - 'directconnect:Describe*' - 'dms:Describe*' - 'dms:List*' - 'dynamodb:DescribeTable' - 'dynamodb:ListTables' - 'dynamodb:ListTagsOfResource' - 'ec2:Describe*' - 'ec2:DescribeNetworkInterfaces' - 'ecr:Describe*' - 'ecr:List*' - 'ecs:Describe*' - 'ecs:List*' - 'elasticache:DescribeCacheClusters' - 'elasticache:ListTagsForResource' - 'elasticbeanstalk:Check*' - 'elasticbeanstalk:Describe*' - 'elasticbeanstalk:List*' - 'elasticfilesystem:Describe*' - 'elasticloadbalancing:Describe*' - 'elasticloadbalancing:DescribeLoadBalancerAttributes' - 'elasticloadbalancing:DescribeLoadBalancers' - 'elasticloadbalancing:DescribeTags' - 'elasticloadbalancing:DescribeTargetGroups' - 'elasticmapreduce:Describe*' - 'elasticmapreduce:List*' - 'elastictranscoder:ListPipelines' - 'es:Describe*' - 'es:List*' - 'events:List*' - 'firehose:DescribeDeliveryStream' - 'firehose:ListDeliveryStreams' - 'firehose:ListTagsForDeliveryStream' - 'fsx:Describe*' - 'glue:GetJobs' - 'glue:GetTags' - 'health:Describe*' - 'iam:GetUser' - 'kafka:List*' - 'kinesis:DescribeStream' - 'kinesis:ListStreams' - 'kinesis:ListTagsForStream' - 'kinesisvideo:Describe*' - 'kinesisvideo:Get*' - 'kinesisvideo:List*' - 'lambda:Get*' - 'lambda:List*' - 'mediaconnect:DescribeFlow' - 'mediaconnect:List*' - 'mediaconvert:DescribeEndpoints' - 'mediaconvert:ListQueues' - 'mediaconvert:ListTagsForResource' - 'mediapackage-vod:ListPackagingConfigurations' - 'mediapackage-vod:ListTagsForResource' - 'mediapackage:DescribeOriginEndpoint' - 'mediapackage:List*' - 'mediapackage:ListOriginEndpoints' - 'mediastore:Describe*' - 'mediastore:List*' - 'mediatailor:ListPlaybackConfigurations' - 'mediatailor:ListTagsForResource' - 'mq:List*' - 'networkmanager:DescribeGlobalNetworks' - 'networkmanager:Get*' - 'networkmanager:List*' - 'opsworks:DescribeStacks' - 'opsworks:ListTags' - 'organizations:DescribeAccount' - 'organizations:DescribeOrganization' - 'organizations:DescribeOrganizationalUnit' - 'organizations:ListAccounts' - 'organizations:ListAccountsForParent' - 'organizations:ListOrganizationalUnitsForParent' - 'organizations:ListRoots' - 'pi:Describe*' - 'pi:Get*' - 'quicksight:DescribeDashboard' - 'quicksight:DescribeDataSet' - 'quicksight:ListDashboards' - 'quicksight:ListDataSets' - 'quicksight:ListTagsForResource' - 'rds:DescribeAccountAttributes' - 'rds:DescribeDBClusterSnapshots' - 'rds:DescribeDBClusters' - 'rds:DescribeDBInstances' - 'rds:DescribeDBSnapshots' - 'rds:ListTagsForResource' - 'redshift:DescribeClusters' - 'route53:Get*' - 'route53:List*' - 'route53resolver:List*' - 's3:GetBucketLocation' - 's3:GetBucketTagging' - 's3:GetObject' - 's3:GetObjectVersion' - 's3:List*' - 'sagemaker:List*' - 'sagemaker:describeEndpoint' - 'servicequotas:ListServiceQuotas' - 'ses:Describe*' - 'ses:GetSendQuota' - 'ses:GetSendStatistics' - 'ses:List*' - 'sns:GetTopicAttributes' - 'sns:ListTagsForResource' - 'sns:ListTopics' - 'sqs:GetQueueAttributes' - 'sqs:GetQueueUrl' - 'sqs:ListQueueTags' - 'sqs:ListQueues' - 'states:DescribeStateMachine' - 'states:ListStateMachines' - 'states:ListTagsForResource' - 'support:*' - 'swf:Count*' - 'swf:Describe*' - 'swf:Get*' - 'swf:List*' - 'swf:ListActivityTypes' - 'swf:ListDomains' - 'transfer:DescribeServer' - 'transfer:List*' - 'waf:GetWebACL' - 'waf:ListWebACLs' - 'wafv2:ListWebACLs' - 'workspaces:DescribeTags' - 'workspaces:DescribeWorkspaceDirectories' - 'workspaces:DescribeWorkspaces' Resource: '*' LMRole: Type: 'AWS::IAM::Role' Properties: RoleName: !Ref RoleName AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: AWS: !Join [':', [ 'arn', !Ref AWS::Partition, 'iam:', !Ref AccountId, 'root' ] ] Action: 'sts:AssumeRole' Condition: StringEquals: sts:ExternalId: !Ref ExternalId ManagedPolicyArns: - !Ref LMPolicy Outputs: RoleArn: Value: !GetAtt LMRole.Arn Export: Name: !Sub '${AWS::StackName}-LogicMonitor-RoleArn'